From 36b271474d8fb01869c928e2668c7dce08c149f3 Mon Sep 17 00:00:00 2001 From: Frank Suits Date: Thu, 28 Apr 2022 14:00:23 +1000 Subject: [PATCH 1/2] demos work with trestle 1.0.x Signed-off-by: Frank Suits --- .pre-commit-config.yaml | 6 +- .../catalogs/ISM_April_2020/catalog.json | 6724 ++++++------ .../catalogs/ISM_April_2021/catalog.json | 7352 ++++++------- .../catalogs/ISM_August_2020/catalog.json | 7248 ++++++------- .../catalogs/ISM_December_2019/catalog.json | 6692 ++++++------ .../catalogs/ISM_December_2020/catalog.json | 7410 ++++++------- .../catalogs/ISM_December_2021/catalog.json | 9407 +++++++++++++++++ .../catalogs/ISM_February_2021/catalog.json | 7460 ++++++------- .../catalogs/ISM_January_2021/catalog.json | 7460 ++++++------- .../catalogs/ISM_July_2020/catalog.json | 6890 ++++++------ .../catalogs/ISM_June_2020/catalog.json | 6696 ++++++------ .../catalogs/ISM_March_2020/catalog.json | 6778 ++++++------ .../catalogs/ISM_March_2021/catalog.json | 7352 ++++++------- .../catalogs/ISM_May_2020/catalog.json | 6788 ++++++------ .../catalogs/ISM_November_2020/catalog.json | 7368 ++++++------- .../catalogs/ISM_October_2020/catalog.json | 7282 ++++++------- .../catalogs/ISM_September_2020/catalog.json | 7156 ++++++------- .../catalogs/ISM_September_2021/catalog.json | 7692 +++++++------- .../ISM_April_2020_OFFICIAL/profile.json | 968 +- .../ISM_April_2020_PROTECTED/profile.json | 978 +- .../ISM_April_2020_SECRET/profile.json | 986 +- .../ISM_April_2020_TOP_SECRET/profile.json | 1000 +- .../ISM_April_2021_OFFICIAL/profile.json | 1182 +-- .../ISM_April_2021_PROTECTED/profile.json | 1184 +-- .../ISM_April_2021_SECRET/profile.json | 1248 +-- .../ISM_April_2021_TOP_SECRET/profile.json | 1258 +-- .../ISM_August_2020_OFFICIAL/profile.json | 1052 +- .../ISM_August_2020_PROTECTED/profile.json | 1106 +- .../ISM_August_2020_SECRET/profile.json | 1094 +- .../ISM_August_2020_TOP_SECRET/profile.json | 1208 +-- .../ISM_December_2019_OFFICIAL/profile.json | 932 +- .../ISM_December_2019_PROTECTED/profile.json | 938 +- .../ISM_December_2019_SECRET/profile.json | 954 +- .../ISM_December_2019_TOP_SECRET/profile.json | 974 +- .../ISM_December_2020_OFFICIAL/profile.json | 1190 +-- .../ISM_December_2020_PROTECTED/profile.json | 1192 +-- .../ISM_December_2020_SECRET/profile.json | 1248 +-- .../ISM_December_2020_TOP_SECRET/profile.json | 1256 +-- .../ISM_December_2021_OFFICIAL/profile.json | 741 ++ .../ISM_December_2021_PROTECTED/profile.json | 741 ++ .../ISM_December_2021_SECRET/profile.json | 799 ++ .../ISM_December_2021_TOP_SECRET/profile.json | 807 ++ .../ISM_February_2021_OFFICIAL/profile.json | 1196 +-- .../ISM_February_2021_PROTECTED/profile.json | 1198 +-- .../ISM_February_2021_SECRET/profile.json | 1260 +-- .../ISM_February_2021_TOP_SECRET/profile.json | 1268 +-- .../ISM_January_2021_OFFICIAL/profile.json | 1196 +-- .../ISM_January_2021_PROTECTED/profile.json | 1198 +-- .../ISM_January_2021_SECRET/profile.json | 1260 +-- .../ISM_January_2021_TOP_SECRET/profile.json | 1268 +-- .../ISM_July_2020_OFFICIAL/profile.json | 966 +- .../ISM_July_2020_PROTECTED/profile.json | 976 +- .../ISM_July_2020_SECRET/profile.json | 958 +- .../ISM_July_2020_TOP_SECRET/profile.json | 970 +- .../ISM_June_2020_OFFICIAL/profile.json | 954 +- .../ISM_June_2020_PROTECTED/profile.json | 954 +- .../ISM_June_2020_SECRET/profile.json | 942 +- .../ISM_June_2020_TOP_SECRET/profile.json | 952 +- .../ISM_March_2020_OFFICIAL/profile.json | 970 +- .../ISM_March_2020_PROTECTED/profile.json | 980 +- .../ISM_March_2020_SECRET/profile.json | 988 +- .../ISM_March_2020_TOP_SECRET/profile.json | 996 +- .../ISM_March_2021_OFFICIAL/profile.json | 1182 +-- .../ISM_March_2021_PROTECTED/profile.json | 1184 +-- .../ISM_March_2021_SECRET/profile.json | 1248 +-- .../ISM_March_2021_TOP_SECRET/profile.json | 1258 +-- .../ISM_May_2020_OFFICIAL/profile.json | 972 +- .../ISM_May_2020_PROTECTED/profile.json | 982 +- .../profiles/ISM_May_2020_SECRET/profile.json | 990 +- .../ISM_May_2020_TOP_SECRET/profile.json | 1000 +- .../ISM_November_2020_OFFICIAL/profile.json | 1186 +-- .../ISM_November_2020_PROTECTED/profile.json | 1188 +-- .../ISM_November_2020_SECRET/profile.json | 1242 +-- .../ISM_November_2020_TOP_SECRET/profile.json | 1250 +-- .../ISM_October_2020_OFFICIAL/profile.json | 1078 +- .../ISM_October_2020_PROTECTED/profile.json | 1080 +- .../ISM_October_2020_SECRET/profile.json | 1124 +- .../ISM_October_2020_TOP_SECRET/profile.json | 1246 +-- .../ISM_September_2020_OFFICIAL/profile.json | 1052 +- .../ISM_September_2020_PROTECTED/profile.json | 1052 +- .../ISM_September_2020_SECRET/profile.json | 1092 +- .../profile.json | 1208 +-- .../ISM_September_2021_OFFICIAL/profile.json | 1298 +-- .../ISM_September_2021_PROTECTED/profile.json | 1298 +-- .../ISM_September_2021_SECRET/profile.json | 1312 +-- .../profile.json | 1322 +-- ISM_catalog_profile/scripts/ISM/ISM.py | 10 +- ISM_catalog_profile/scripts/ISM/README.md | 2 + README.md | 2 + ssp_author_demo/README.md | 12 +- .../profiles/800-53-low/profile.json | 2 +- .../system-security-plan.json | 6544 +++++------- ssp_author_demo/test_system/ac/ac-1.md | 6 + ssp_author_demo/test_system/ac/ac-14.md | 29 +- ssp_author_demo/test_system/ac/ac-17.md | 27 +- ssp_author_demo/test_system/ac/ac-18.md | 27 +- ssp_author_demo/test_system/ac/ac-19.md | 31 +- ssp_author_demo/test_system/ac/ac-2.md | 90 +- ssp_author_demo/test_system/ac/ac-20.md | 34 +- ssp_author_demo/test_system/ac/ac-22.md | 39 +- ssp_author_demo/test_system/ac/ac-3.md | 20 +- ssp_author_demo/test_system/ac/ac-7.md | 31 +- ssp_author_demo/test_system/ac/ac-8.md | 34 +- ssp_author_demo/test_system/at/at-1.md | 40 +- ssp_author_demo/test_system/at/at-2.2.md | 20 +- ssp_author_demo/test_system/at/at-2.md | 44 +- ssp_author_demo/test_system/at/at-3.md | 38 +- ssp_author_demo/test_system/at/at-4.md | 29 +- ssp_author_demo/test_system/au/au-1.md | 40 +- ssp_author_demo/test_system/au/au-11.md | 20 +- ssp_author_demo/test_system/au/au-12.md | 36 +- ssp_author_demo/test_system/au/au-2.md | 52 +- ssp_author_demo/test_system/au/au-3.md | 61 +- ssp_author_demo/test_system/au/au-4.md | 20 +- ssp_author_demo/test_system/au/au-5.md | 31 +- ssp_author_demo/test_system/au/au-6.md | 36 +- ssp_author_demo/test_system/au/au-8.md | 29 +- ssp_author_demo/test_system/au/au-9.md | 29 +- ssp_author_demo/test_system/ca/ca-1.md | 40 +- ssp_author_demo/test_system/ca/ca-2.md | 54 +- ssp_author_demo/test_system/ca/ca-3.md | 38 +- ssp_author_demo/test_system/ca/ca-5.md | 29 +- ssp_author_demo/test_system/ca/ca-6.md | 42 +- ssp_author_demo/test_system/ca/ca-7.4.md | 40 +- ssp_author_demo/test_system/ca/ca-7.md | 70 +- ssp_author_demo/test_system/ca/ca-9.md | 43 +- ssp_author_demo/test_system/cm/cm-1.md | 40 +- ssp_author_demo/test_system/cm/cm-10.md | 32 +- ssp_author_demo/test_system/cm/cm-11.md | 38 +- ssp_author_demo/test_system/cm/cm-2.md | 30 +- ssp_author_demo/test_system/cm/cm-4.md | 20 +- ssp_author_demo/test_system/cm/cm-5.md | 20 +- ssp_author_demo/test_system/cm/cm-6.md | 45 +- ssp_author_demo/test_system/cm/cm-7.md | 31 +- ssp_author_demo/test_system/cm/cm-8.md | 32 +- ssp_author_demo/test_system/cp/cp-1.md | 40 +- ssp_author_demo/test_system/cp/cp-10.md | 20 +- ssp_author_demo/test_system/cp/cp-2.md | 60 +- ssp_author_demo/test_system/cp/cp-3.md | 32 +- ssp_author_demo/test_system/cp/cp-4.md | 34 +- ssp_author_demo/test_system/cp/cp-9.md | 43 +- ssp_author_demo/test_system/ia/ia-1.md | 40 +- ssp_author_demo/test_system/ia/ia-11.md | 20 +- ssp_author_demo/test_system/ia/ia-2.1.md | 20 +- ssp_author_demo/test_system/ia/ia-2.12.md | 20 +- ssp_author_demo/test_system/ia/ia-2.2.md | 20 +- ssp_author_demo/test_system/ia/ia-2.8.md | 20 +- ssp_author_demo/test_system/ia/ia-2.md | 24 +- ssp_author_demo/test_system/ia/ia-4.md | 47 +- ssp_author_demo/test_system/ia/ia-5.1.md | 75 +- ssp_author_demo/test_system/ia/ia-5.md | 84 +- ssp_author_demo/test_system/ia/ia-6.md | 20 +- ssp_author_demo/test_system/ia/ia-7.md | 20 +- ssp_author_demo/test_system/ia/ia-8.1.md | 20 +- ssp_author_demo/test_system/ia/ia-8.2.md | 27 +- ssp_author_demo/test_system/ia/ia-8.4.md | 20 +- ssp_author_demo/test_system/ia/ia-8.md | 20 +- ssp_author_demo/test_system/ir/ir-1.md | 40 +- ssp_author_demo/test_system/ir/ir-2.md | 32 +- ssp_author_demo/test_system/ir/ir-4.md | 37 +- ssp_author_demo/test_system/ir/ir-5.md | 20 +- ssp_author_demo/test_system/ir/ir-6.md | 31 +- ssp_author_demo/test_system/ir/ir-7.md | 20 +- ssp_author_demo/test_system/ir/ir-8.md | 46 +- ssp_author_demo/test_system/ma/ma-1.md | 40 +- ssp_author_demo/test_system/ma/ma-2.md | 53 +- ssp_author_demo/test_system/ma/ma-4.md | 42 +- ssp_author_demo/test_system/ma/ma-5.md | 32 +- ssp_author_demo/test_system/mp/mp-1.md | 40 +- ssp_author_demo/test_system/mp/mp-2.md | 20 +- ssp_author_demo/test_system/mp/mp-6.md | 29 +- ssp_author_demo/test_system/mp/mp-7.md | 29 +- ssp_author_demo/test_system/pe/pe-1.md | 40 +- ssp_author_demo/test_system/pe/pe-12.md | 20 +- ssp_author_demo/test_system/pe/pe-13.md | 20 +- ssp_author_demo/test_system/pe/pe-14.md | 31 +- ssp_author_demo/test_system/pe/pe-15.md | 20 +- ssp_author_demo/test_system/pe/pe-16.md | 29 +- ssp_author_demo/test_system/pe/pe-2.md | 39 +- ssp_author_demo/test_system/pe/pe-3.md | 60 +- ssp_author_demo/test_system/pe/pe-6.md | 34 +- ssp_author_demo/test_system/pe/pe-8.md | 38 +- ssp_author_demo/test_system/pl/pl-1.md | 40 +- ssp_author_demo/test_system/pl/pl-10.md | 20 +- ssp_author_demo/test_system/pl/pl-11.md | 20 +- ssp_author_demo/test_system/pl/pl-2.md | 50 +- ssp_author_demo/test_system/pl/pl-4.1.md | 40 +- ssp_author_demo/test_system/pl/pl-4.md | 41 +- ssp_author_demo/test_system/ps/ps-1.md | 40 +- ssp_author_demo/test_system/ps/ps-2.md | 34 +- ssp_author_demo/test_system/ps/ps-3.md | 29 +- ssp_author_demo/test_system/ps/ps-4.md | 54 +- ssp_author_demo/test_system/ps/ps-5.md | 41 +- ssp_author_demo/test_system/ps/ps-6.md | 34 +- ssp_author_demo/test_system/ps/ps-7.md | 44 +- ssp_author_demo/test_system/ps/ps-8.md | 29 +- ssp_author_demo/test_system/ps/ps-9.md | 20 +- ssp_author_demo/test_system/ra/ra-1.md | 40 +- ssp_author_demo/test_system/ra/ra-2.md | 36 +- ssp_author_demo/test_system/ra/ra-3.1.md | 31 +- ssp_author_demo/test_system/ra/ra-3.md | 54 +- ssp_author_demo/test_system/ra/ra-5.11.md | 20 +- ssp_author_demo/test_system/ra/ra-5.2.md | 20 +- ssp_author_demo/test_system/ra/ra-5.md | 54 +- ssp_author_demo/test_system/ra/ra-7.md | 20 +- ssp_author_demo/test_system/sa/sa-1.md | 40 +- ssp_author_demo/test_system/sa/sa-2.md | 32 +- ssp_author_demo/test_system/sa/sa-22.md | 31 +- ssp_author_demo/test_system/sa/sa-3.md | 41 +- ssp_author_demo/test_system/sa/sa-4.10.md | 20 +- ssp_author_demo/test_system/sa/sa-4.md | 86 +- ssp_author_demo/test_system/sa/sa-5.md | 38 +- ssp_author_demo/test_system/sa/sa-8.md | 24 +- ssp_author_demo/test_system/sa/sa-9.md | 36 +- ssp_author_demo/test_system/sc/sc-1.md | 40 +- ssp_author_demo/test_system/sc/sc-12.md | 20 +- ssp_author_demo/test_system/sc/sc-13.md | 31 +- ssp_author_demo/test_system/sc/sc-15.md | 29 +- ssp_author_demo/test_system/sc/sc-20.md | 27 +- ssp_author_demo/test_system/sc/sc-21.md | 20 +- ssp_author_demo/test_system/sc/sc-22.md | 20 +- ssp_author_demo/test_system/sc/sc-39.md | 20 +- ssp_author_demo/test_system/sc/sc-5.md | 31 +- ssp_author_demo/test_system/sc/sc-7.md | 34 +- ssp_author_demo/test_system/si/si-1.md | 40 +- ssp_author_demo/test_system/si/si-12.md | 20 +- ssp_author_demo/test_system/si/si-2.md | 41 +- ssp_author_demo/test_system/si/si-3.md | 44 +- ssp_author_demo/test_system/si/si-4.md | 54 +- ssp_author_demo/test_system/si/si-5.md | 41 +- ssp_author_demo/test_system/sr/sr-1.md | 40 +- ssp_author_demo/test_system/sr/sr-10.md | 20 +- ssp_author_demo/test_system/sr/sr-11.1.md | 20 +- ssp_author_demo/test_system/sr/sr-11.2.md | 20 +- ssp_author_demo/test_system/sr/sr-11.md | 29 +- ssp_author_demo/test_system/sr/sr-12.md | 20 +- ssp_author_demo/test_system/sr/sr-2.1.md | 20 +- ssp_author_demo/test_system/sr/sr-2.md | 38 +- ssp_author_demo/test_system/sr/sr-3.md | 38 +- ssp_author_demo/test_system/sr/sr-5.md | 20 +- ssp_author_demo/test_system/sr/sr-8.md | 20 +- trestle_flask_api/README.md | 2 + trestle_flask_api/setup.cfg | 2 +- trestle_k8s/README.md | 3 +- trestle_k8s/k8s-to-oscal.py | 2 +- trestle_repo_api_examples/README.md | 2 +- trestle_repo_api_examples/repo-examples.py | 5 +- trestle_sdk_examples/README.md | 2 +- trestle_task_osco_to_oscal/README.md | 37 +- .../demo-osco-to-oscal.config | 2 +- .../README.md | 99 +- .../demo-xlsx-to-component-definition.config | 2 +- .../demo.xlsx | Bin 7328 -> 7527 bytes .../trestle-workspace/catalogs/catalog.json | 6 +- .../component-definition.json | 667 +- 255 files changed, 112101 insertions(+), 98454 deletions(-) create mode 100644 ISM_catalog_profile/catalogs/ISM_December_2021/catalog.json create mode 100644 ISM_catalog_profile/profiles/ISM_December_2021_OFFICIAL/profile.json create mode 100644 ISM_catalog_profile/profiles/ISM_December_2021_PROTECTED/profile.json create mode 100644 ISM_catalog_profile/profiles/ISM_December_2021_SECRET/profile.json create mode 100644 ISM_catalog_profile/profiles/ISM_December_2021_TOP_SECRET/profile.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bf190e8..bda3fc6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,13 +1,13 @@ repos: - repo: https://github.com/pre-commit/mirrors-yapf - rev: v0.30.0 + rev: v0.32.0 hooks: - id: yapf args: [--in-place, --parallel, --recursive, --style, .yapf-config] exclude: "(oscal|third_party)" stages: [commit] - repo: https://gitlab.com/pycqa/flake8 - rev: 3.8.4 + rev: 3.9.2 hooks: - id: flake8 args: [--extend-ignore, "P1,C812,C813,C814,C815,C816,W503,W605"] @@ -33,7 +33,7 @@ repos: exclude: "(oscal|third_party)" stages: [commit] - repo: https://github.com/executablebooks/mdformat - rev: 0.7.1 # Do not change version. 0.6.0 introduces breaking changes. + rev: 0.7.14 # Do not change version. 0.6.0 introduces breaking changes. hooks: - id: mdformat exclude: "CHANGELOG.md|docs/mkdocs_code_of_conduct.md|docs/api_reference|tests/data/md" diff --git a/ISM_catalog_profile/catalogs/ISM_April_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_April_2020/catalog.json index 9ea4d5b..7a85a34 100644 --- a/ISM_catalog_profile/catalogs/ISM_April_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_April_2020/catalog.json @@ -1,748 +1,731 @@ { "catalog": { - "uuid": "9a103727-dbc4-4610-bcc1-658ec2aaf9f9", + "uuid": "70f6f364-70f1-4fb0-8f23-88bcf795fbc4", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:21:14.189+00:00", + "last-modified": "2022-04-28T11:45:23.554286+10:00", "version": "April_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration", + "id": "control-0580", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "System administration", + "id": "control-1405", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "System administration", + "id": "control-0988", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "System administration", + "id": "control-0584", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "System administration", + "id": "control-0582", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n§ access to important data and processes\n§ application crashes and any error messages\n§ attempts to use special privileges\n§ changes to accounts\n§ changes to security policy\n§ changes to system configurations\n§ Domain Name System (DNS) and Hypertext Transfer Protocol requests\n§ failed attempts to access data and system resources\n§ service failures and restarts\n§ system startup and shutdown\n§ transfer of data to external media\n§ user or group management\n§ use of special privileges." } ] }, { - "id": "control-1384", - "title": "System administration", + "id": "control-1536", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1384-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." + "prose": "The following events are logged for web applications:\n§ attempted access that is denied\n§ crashes and any error messages\n§ search queries initiated by users." } ] }, { - "id": "control-1385", - "title": "System administration", + "id": "control-1537", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for databases:\n§ access to particularly important information\n§ addition of new users, especially privileged users\n§ any query containing comments\n§ any query containing multiple embedded queries\n§ any query or database alerts or failures\n§ attempts to elevate privileges\n§ attempted access that is successful or unsuccessful\n§ changes to the database structure\n§ changes to user roles or database permissions\n§ database administrator actions\n§ database logons and logoffs\n§ modifications to data\n§ use of executable commands." } ] }, { - "id": "control-1386", - "title": "System administration", + "id": "control-0585", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1386-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1387", - "title": "System administration", + "id": "control-0586", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] }, { - "id": "control-1388", - "title": "System administration", + "id": "control-0859", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management", + "id": "control-0991", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n§ identification and documentation of requests for change\n§ approval required for changes to be made\n§ implementation and testing of approved changes\n§ the maintenance of system and security documentation." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "System patching", + "id": "control-0109", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1493", - "title": "System patching", + "id": "control-1228", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1493-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media_management", + "title": "Guidelines for Media Management", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1144", - "title": "System patching", + "id": "control-0363", + "title": "Media destruction", "parts": [ { - "id": "control-1144-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-0940", - "title": "System patching", + "id": "control-0350", + "title": "Media destruction", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n§ microfiche and microfilm\n§ optical discs\n§ programmable read-only memory\n§ read-only memory\n§ other types of media that cannot be sanitised\n§ faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1472", - "title": "System patching", + "id": "control-1361", + "title": "Media destruction", "parts": [ { - "id": "control-1472-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1494", - "title": "System patching", + "id": "control-1160", + "title": "Media destruction", "parts": [ { - "id": "control-1494-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." } ] }, { - "id": "control-1495", - "title": "System patching", + "id": "control-1517", + "title": "Media destruction", "parts": [ { - "id": "control-1495-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1496", - "title": "System patching", + "id": "control-0366", + "title": "Media destruction", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0300", - "title": "System patching", + "id": "control-0368", + "title": "Media destruction", "parts": [ { - "id": "control-0300-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0298", - "title": "System patching", + "id": "control-0361", + "title": "Media destruction", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-0303", - "title": "System patching", + "id": "control-0838", + "title": "Media destruction", "parts": [ { - "id": "control-0303-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1497", - "title": "System patching", + "id": "control-0362", + "title": "Media destruction", "parts": [ { - "id": "control-1497-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1498", - "title": "System patching", + "id": "control-0370", + "title": "Media destruction", "parts": [ { - "id": "control-1498-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1499", - "title": "System patching", + "id": "control-0371", + "title": "Media destruction", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1500", - "title": "System patching", + "id": "control-0372", + "title": "Media destruction", "parts": [ { - "id": "control-1500-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0304", - "title": "System patching", + "id": "control-0373", + "title": "Media destruction", "parts": [ { - "id": "control-0304-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1501", - "title": "System patching", + "id": "control-0840", + "title": "Media destruction", "parts": [ { - "id": "control-1501-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Data backup and restoration", + "id": "control-0839", + "title": "Media destruction", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1547", - "title": "Data backup and restoration", + "id": "control-0374", + "title": "Media disposal", "parts": [ { - "id": "control-1547-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration", + "id": "control-0375", + "title": "Media disposal", "parts": [ { - "id": "control-1548-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1511", - "title": "Data backup and restoration", + "id": "control-0378", + "title": "Media disposal", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1512", - "title": "Data backup and restoration", + "id": "control-1549", + "title": "Media usage", "parts": [ { - "id": "control-1512-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1513", - "title": "Data backup and restoration", + "id": "control-1359", + "title": "Media usage", "parts": [ { - "id": "control-1513-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1514", - "title": "Data backup and restoration", + "id": "control-0323", + "title": "Media usage", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1515", - "title": "Data backup and restoration", + "id": "control-0325", + "title": "Media usage", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1516", - "title": "Data backup and restoration", + "id": "control-0331", + "title": "Media usage", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email_management", - "title": "Guidelines for Email Management", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage", + "id": "control-0330", + "title": "Media usage", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0267", - "title": "Email usage", + "id": "control-0332", + "title": "Media usage", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0270", - "title": "Email usage", + "id": "control-0337", + "title": "Media usage", "parts": [ { - "id": "control-0270-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-0271", - "title": "Email usage", + "id": "control-0341", + "title": "Media usage", "parts": [ { - "id": "control-0271-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0272", - "title": "Email usage", + "id": "control-0342", + "title": "Media usage", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1089", - "title": "Email usage", + "id": "control-0343", + "title": "Media usage", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-0565", - "title": "Email usage", + "id": "control-0345", + "title": "Media usage", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-1023", - "title": "Email usage", + "id": "control-0831", + "title": "Media usage", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-0269", - "title": "Email usage", + "id": "control-1059", + "title": "Media usage", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1539", - "title": "Email usage", + "id": "control-0347", + "title": "Media usage", "parts": [ { - "id": "control-1539-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0569", - "title": "Email gateways and servers", + "id": "control-0348", + "title": "Media sanitisation", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0571", - "title": "Email gateways and servers", + "id": "control-0351", + "title": "Media sanitisation", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0570", - "title": "Email gateways and servers", + "id": "control-0352", + "title": "Media sanitisation", "parts": [ { - "id": "control-0570-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0567", - "title": "Email gateways and servers", + "id": "control-0835", + "title": "Media sanitisation", "parts": [ { - "id": "control-0567-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0572", - "title": "Email gateways and servers", + "id": "control-1065", + "title": "Media sanitisation", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-0574", - "title": "Email gateways and servers", + "id": "control-0354", + "title": "Media sanitisation", "parts": [ { - "id": "control-0574-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1183", - "title": "Email gateways and servers", + "id": "control-1067", + "title": "Media sanitisation", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1151", - "title": "Email gateways and servers", - "parts": [ - { - "id": "control-1151-stmt", - "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." - } - ] - }, - { - "id": "control-1152", - "title": "Email gateways and servers", + "id": "control-0356", + "title": "Media sanitisation", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0861", - "title": "Email gateways and servers", + "id": "control-0357", + "title": "Media sanitisation", "parts": [ { - "id": "control-0861-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1026", - "title": "Email gateways and servers", + "id": "control-0836", + "title": "Media sanitisation", "parts": [ { - "id": "control-1026-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1027", - "title": "Email gateways and servers", + "id": "control-0358", + "title": "Media sanitisation", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1540", - "title": "Email gateways and servers", + "id": "control-0359", + "title": "Media sanitisation", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1234", - "title": "Email gateways and servers", + "id": "control-0360", + "title": "Media sanitisation", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1502", - "title": "Email gateways and servers", + "id": "control-0947", + "title": "Media sanitisation", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "All media is sanitised prior to reuse." } ] }, { - "id": "control-1024", - "title": "Email gateways and servers", + "id": "control-1464", + "title": "Media sanitisation", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed." } ] } @@ -751,3819 +734,3834 @@ ] }, { - "id": "guidelines_for_media_management", - "title": "Guidelines for Media Management", + "id": "guidelines_for_ict_equipment_management", + "title": "Guidelines for ICT Equipment Management", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", "controls": [ { - "id": "control-0363", - "title": "Media destruction", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0350", - "title": "Media destruction", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n§ microfiche and microfilm\n§ optical discs\n§ programmable read-only memory\n§ read-only memory\n§ other types of media that cannot be sanitised\n§ faulty media that cannot be successfully sanitised." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1361", - "title": "Media destruction", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1160", - "title": "Media destruction", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1517", - "title": "Media destruction", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0366", - "title": "Media destruction", + "id": "control-0315", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-0368", - "title": "Media destruction", + "id": "control-1218", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0361", - "title": "Media destruction", + "id": "control-0312", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0838", - "title": "Media destruction", + "id": "control-0317", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0362", - "title": "Media destruction", + "id": "control-1219", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0370", - "title": "Media destruction", + "id": "control-1220", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0370-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0371", - "title": "Media destruction", + "id": "control-1221", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0372", - "title": "Media destruction", + "id": "control-0318", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0373", - "title": "Media destruction", + "id": "control-1534", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0840", - "title": "Media destruction", + "id": "control-1076", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0839", - "title": "Media destruction", + "id": "control-1222", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media usage", + "id": "control-1223", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n§ following device-specific guidance provided by the ACSC\n§ following vendor sanitisation guidance\n§ loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1359", - "title": "Media usage", + "id": "control-1225", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1359-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0323", - "title": "Media usage", + "id": "control-1226", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0323-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0325", - "title": "Media usage", + "id": "control-1079", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0331", - "title": "Media usage", + "id": "control-0305", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0330", - "title": "Media usage", + "id": "control-0307", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0332", - "title": "Media usage", + "id": "control-0306", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n§ is appropriately cleared and briefed\n§ takes due care to ensure that information is not disclosed\n§ takes all responsible measures to ensure the integrity of the ICT equipment\n§ has the authority to direct the technician\n§ is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0337", - "title": "Media usage", + "id": "control-0310", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0341", - "title": "Media usage", + "id": "control-0944", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-0342", - "title": "Media usage", + "id": "control-1551", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-0343", - "title": "Media usage", + "id": "control-0293", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-0345", - "title": "Media usage", + "id": "control-0294", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0831", - "title": "Media usage", + "id": "control-0296", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateway_management", + "title": "Guidelines for Gateway Management", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1059", - "title": "Media usage", + "id": "control-1528", + "title": "Firewalls", "parts": [ { - "id": "control-1059-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0347", - "title": "Media usage", + "id": "control-0639", + "title": "Firewalls", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal", + "id": "control-1194", + "title": "Firewalls", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-0375", - "title": "Media disposal", + "id": "control-0641", + "title": "Firewalls", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0378", - "title": "Media disposal", + "id": "control-0642", + "title": "Firewalls", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "media_sanitisation", - "title": "Media sanitisation", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-0348", - "title": "Media sanitisation", + "id": "control-0643", + "title": "Diodes", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0351", - "title": "Media sanitisation", + "id": "control-0645", + "title": "Diodes", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0352", - "title": "Media sanitisation", + "id": "control-1157", + "title": "Diodes", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0835", - "title": "Media sanitisation", + "id": "control-1158", + "title": "Diodes", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1065", - "title": "Media sanitisation", + "id": "control-0646", + "title": "Diodes", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0354", - "title": "Media sanitisation", + "id": "control-0647", + "title": "Diodes", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1067", - "title": "Media sanitisation", + "id": "control-0648", + "title": "Diodes", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-0356", - "title": "Media sanitisation", + "id": "control-0626", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0357", - "title": "Media sanitisation", + "id": "control-0597", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0836", - "title": "Media sanitisation", + "id": "control-0627", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0358", - "title": "Media sanitisation", + "id": "control-0635", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0359", - "title": "Media sanitisation", + "id": "control-1521", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0360", - "title": "Media sanitisation", - "parts": [ + "id": "control-1522", + "title": "Cross Domain Solutions", + "parts": [ { - "id": "control-0360-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-0947", - "title": "Media sanitisation", + "id": "control-0670", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "All media is sanitised prior to reuse." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-1464", - "title": "Media sanitisation", + "id": "control-1523", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + } + ] + }, + { + "id": "control-0610", + "title": "Cross Domain Solutions", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] } ] - } - ] - }, - { - "id": "guidelines_for_using_cryptography", - "title": "Guidelines for Using Cryptography", - "groups": [ + }, { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-1139", - "title": "Transport Layer Security", + "id": "control-0591", + "title": "Peripheral switches", "parts": [ { - "id": "control-1139-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1369", - "title": "Transport Layer Security", + "id": "control-1480", + "title": "Peripheral switches", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1370", - "title": "Transport Layer Security", + "id": "control-1457", + "title": "Peripheral switches", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1372", - "title": "Transport Layer Security", + "id": "control-0593", + "title": "Peripheral switches", "parts": [ { - "id": "control-1372-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1448", - "title": "Transport Layer Security", + "id": "control-0594", + "title": "Peripheral switches", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "web_content_and_connections", + "title": "Web content and connections", + "controls": [ { - "id": "control-1373", - "title": "Transport Layer Security", + "id": "control-0258", + "title": "Web content and connections", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1374", - "title": "Transport Layer Security", + "id": "control-0260", + "title": "Web content and connections", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1375", - "title": "Transport Layer Security", + "id": "control-0261", + "title": "Web content and connections", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n§ address (uniform resource locator)\n§ time/date\n§ user\n§ amount of data uploaded and downloaded\n§ internal and external IP addresses." } ] }, { - "id": "control-1553", - "title": "Transport Layer Security", + "id": "control-0263", + "title": "Web content and connections", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n§ a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n§ a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1453", - "title": "Transport Layer Security", + "id": "control-0996", + "title": "Web content and connections", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0958", + "title": "Web content and connections", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0994", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1170", + "title": "Web content and connections", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0472", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0959", + "title": "Web content and connections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0473", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0960", + "title": "Web content and connections", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "If a list of blocked website is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1446", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1171", + "title": "Web content and connections", "parts": [ { - "id": "control-1446-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0474", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1236", + "title": "Web content and connections", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] }, { - "id": "control-0475", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0963", + "title": "Web content and connections", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0476", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0961", + "title": "Web content and connections", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0477", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1237", + "title": "Web content and connections", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-1054", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0628", + "title": "Gateways", "parts": [ { - "id": "control-1054-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0479", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1192", + "title": "Gateways", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0480", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0631", + "title": "Gateways", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Gateways:\n§ are the only communications paths into and out of internal networks\n§ allow only explicitly authorised connections\n§ are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n§ are protected by authentication, logging and auditing of all physical and logical access to gateway components\n§ have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-1232", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1427", + "title": "Gateways", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1468", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0634", + "title": "Gateways", "parts": [ { - "id": "control-1468-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n§ log network traffic permitted through the gateway\n§ log network traffic attempting to leave the gateway\n§ are configured to save event logs to a secure logging facility\n§ provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Cryptographic system management", + "id": "control-0637", + "title": "Gateways", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0142", - "title": "Cryptographic system management", + "id": "control-1037", + "title": "Gateways", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-1091", - "title": "Cryptographic system management", + "id": "control-0611", + "title": "Gateways", "parts": [ { - "id": "control-1091-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0499", - "title": "Cryptographic system management", + "id": "control-0612", + "title": "Gateways", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0505", - "title": "Cryptographic system management", + "id": "control-1520", + "title": "Gateways", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0506", - "title": "Cryptographic system management", + "id": "control-0613", + "title": "Gateways", "parts": [ { - "id": "control-0506-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Secure Shell", + "id": "control-0616", + "title": "Gateways", "parts": [ { - "id": "control-1506-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0484", - "title": "Secure Shell", + "id": "control-0629", + "title": "Gateways", "parts": [ { - "id": "control-0484-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0485", - "title": "Secure Shell", + "id": "control-0607", + "title": "Gateways", "parts": [ { - "id": "control-0485-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-1449", - "title": "Secure Shell", + "id": "control-0619", + "title": "Gateways", "parts": [ { - "id": "control-1449-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0487", - "title": "Secure Shell", + "id": "control-0620", + "title": "Gateways", "parts": [ { - "id": "control-0487-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n§ access from IP addresses that do not require access\n§ port forwarding\n§ agent credential forwarding\n§ X11 display remoting\n§ console access." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0488", - "title": "Secure Shell", + "id": "control-1039", + "title": "Gateways", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0489", - "title": "Secure Shell", + "id": "control-0622", + "title": "Gateways", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", "controls": [ { - "id": "control-0481", - "title": "ASD Approved Cryptographic Protocols", + "id": "control-0336", + "title": "ICT equipment and media", "parts": [ { - "id": "control-0481-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Secure/Multipurpose Internet Mail Extension", + "id": "control-0159", + "title": "ICT equipment and media", "parts": [ { - "id": "control-0490-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "All ICT equipment and media are accounted for on a regular basis." + } + ] + }, + { + "id": "control-0161", + "title": "ICT equipment and media", + "parts": [ + { + "id": "control-0161-stmt", + "name": "statement", + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-1161", - "title": "Cryptographic fundamentals", + "id": "control-0810", + "title": "Facilities and systems", "parts": [ { - "id": "control-1161-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0457", - "title": "Cryptographic fundamentals", + "id": "control-1053", + "title": "Facilities and systems", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0460", - "title": "Cryptographic fundamentals", + "id": "control-1530", + "title": "Facilities and systems", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0459", - "title": "Cryptographic fundamentals", + "id": "control-0813", + "title": "Facilities and systems", "parts": [ { - "id": "control-0459-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0461", - "title": "Cryptographic fundamentals", + "id": "control-1074", + "title": "Facilities and systems", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-1080", - "title": "Cryptographic fundamentals", + "id": "control-0157", + "title": "Facilities and systems", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-0455", - "title": "Cryptographic fundamentals", + "id": "control-1296", + "title": "Facilities and systems", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0462", - "title": "Cryptographic fundamentals", + "id": "control-0164", + "title": "Facilities and systems", "parts": [ { - "id": "control-0462-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-1162", - "title": "Cryptographic fundamentals", + "id": "control-1543", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0465", - "title": "Cryptographic fundamentals", + "id": "control-0225", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0465-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0467", - "title": "Cryptographic fundamentals", + "id": "control-0829", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0467-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0469", - "title": "Cryptographic fundamentals", + "id": "control-1058", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Internet Protocol Security", + "id": "control-0222", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0494-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0496", - "title": "Internet Protocol Security", + "id": "control-0223", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0496-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1233", - "title": "Internet Protocol Security", + "id": "control-0224", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-1233-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0497", - "title": "Internet Protocol Security", + "id": "control-0221", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0497-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_management", + "title": "Mobile device management", + "controls": [ { - "id": "control-0498", - "title": "Internet Protocol Security", + "id": "control-1533", + "title": "Mobile device management", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0998", - "title": "Internet Protocol Security", + "id": "control-1195", + "title": "Mobile device management", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-0999", - "title": "Internet Protocol Security", + "id": "control-0687", + "title": "Mobile device management", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1000", - "title": "Internet Protocol Security", + "id": "control-1400", + "title": "Mobile device management", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-1001", - "title": "Internet Protocol Security", + "id": "control-0694", + "title": "Mobile device management", "parts": [ { - "id": "control-1001-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Privately-owned mobile devices do not access highly classified systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ + }, { - "id": "control-0280", - "title": "Evaluated product acquisition", + "id": "control-1297", + "title": "Mobile device management", "parts": [ { - "id": "control-0280-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." } ] }, { - "id": "control-0285", - "title": "Evaluated product acquisition", + "id": "control-1482", + "title": "Mobile device management", "parts": [ { - "id": "control-0285-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-0286", - "title": "Evaluated product acquisition", + "id": "control-0869", + "title": "Mobile device management", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] - } - ] - }, - { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", - "controls": [ + }, { - "id": "control-0289", - "title": "Evaluated product usage", + "id": "control-1085", + "title": "Mobile device management", "parts": [ { - "id": "control-0289-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0290", - "title": "Evaluated product usage", + "id": "control-1202", + "title": "Mobile device management", "parts": [ { - "id": "control-0290-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0292", - "title": "Evaluated product usage", + "id": "control-0682", + "title": "Mobile device management", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application development", + "id": "control-1196", + "title": "Mobile device management", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1552", - "title": "Web application development", + "id": "control-1200", + "title": "Mobile device management", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1240", - "title": "Web application development", + "id": "control-1198", + "title": "Mobile device management", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1241", - "title": "Web application development", + "id": "control-1199", + "title": "Mobile device management", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1424", - "title": "Web application development", + "id": "control-0863", + "title": "Mobile device management", "parts": [ { - "id": "control-1424-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0971", - "title": "Web application development", + "id": "control-0864", + "title": "Mobile device management", "parts": [ { - "id": "control-0971-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Application development", + "id": "control-1365", + "title": "Mobile device management", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Software development, testing and production environments are segregated." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1419", - "title": "Application development", + "id": "control-1366", + "title": "Mobile device management", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-1420", - "title": "Application development", + "id": "control-0874", + "title": "Mobile device management", "parts": [ { - "id": "control-1420-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1422", - "title": "Application development", + "id": "control-0705", + "title": "Mobile device management", "parts": [ { - "id": "control-1422-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-1238", - "title": "Application development", + "id": "control-1082", + "title": "Mobile device usage", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0401", - "title": "Application development", + "id": "control-1083", + "title": "Mobile device usage", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0402", - "title": "Application development", + "id": "control-0240", + "title": "Mobile device usage", "parts": [ { - "id": "control-0402-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0866", + "title": "Mobile device usage", "parts": [ { - "id": "control-1562-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-0546", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1145", + "title": "Mobile device usage", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0547", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0871", + "title": "Mobile device usage", "parts": [ { - "id": "control-0547-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0548", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0870", + "title": "Mobile device usage", "parts": [ { - "id": "control-0548-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-0554", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1084", + "title": "Mobile device usage", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0553", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0701", + "title": "Mobile device usage", "parts": [ { - "id": "control-0553-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0555", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0702", + "title": "Mobile device usage", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0551", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1298", + "title": "Mobile device usage", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n§ IP phones authenticate themselves to the call controller upon registration\n§ auto-registration is disabled and only authorised devices are allowed to access the network\n§ unauthorised devices are blocked by default\n§ all unused and prohibited functionality is disabled." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1014", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1554", + "title": "Mobile device usage", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n§ issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n§ advised on how to apply and inspect tamper seals to key areas of devices\n§ advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0549", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1555", + "title": "Mobile device usage", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n§ record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n§ update all applications and operating systems\n§ remove all non-essential accounts, applications and data\n§ apply security configuration settings, such as lock screens\n§ configure remote locate and wipe functionality\n§ enable encryption, including for any media used\n§ backup all important data and configuration settings." } ] }, { - "id": "control-0556", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1299", + "title": "Mobile device usage", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n§ never storing credentials with devices that they grant access to, such as in laptop bags\n§ never lending devices to untrusted people, even if briefly\n§ never allowing untrusted people to connect other devices or media to their devices, including for charging\n§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n§ avoiding connecting devices to open or untrusted Wi-Fi networks\n§ using an approved Virtual Private Network to encrypt all device communications\n§ using encrypted mobile applications for communications instead of using foreign telecommunication networks\n§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n§ avoiding reuse of media once used with other parties’ devices or systems\n§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n§ never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-1015", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1088", + "title": "Mobile device usage", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n§ provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n§ have devices or media stolen that are later returned\n§ lose devices or media that are later found\n§ observe unusual behaviour of devices." } ] }, { - "id": "control-0558", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1300", + "title": "Mobile device usage", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n§ sanitise and reset devices, including all media used with them\n§ decommission any physical credentials that left their possession during their travel\n§ report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0559", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1556", + "title": "Mobile device usage", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n§ reset user credentials used with devices, including those used for remote access to their organisation’s systems\n§ monitor accounts for any indicators of compromise, such as failed login attempts." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ + { + "id": "control-0280", + "title": "Evaluated product acquisition", + "parts": [ + { + "id": "control-0280-stmt", + "name": "statement", + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1450", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0285", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1019", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0286", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n§ how to identify signs of a denial of service\n§ how to identify the source of a denial of service\n§ how capabilities can be maintained during a denial of service\n§ what actions can be taken to clear a denial of service." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "telephone_systems", - "title": "Telephone systems", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-1078", - "title": "Telephone systems", + "id": "control-0289", + "title": "Evaluated product usage", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0229", - "title": "Telephone systems", + "id": "control-0290", + "title": "Evaluated product usage", "parts": [ { - "id": "control-0229-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0230", - "title": "Telephone systems", + "id": "control-0292", + "title": "Evaluated product usage", "parts": [ { - "id": "control-0230-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers_and_content_filtering", + "title": "Guidelines for Data Transfers and Content Filtering", + "groups": [ + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ + { + "id": "control-0659", + "title": "Content filtering", + "parts": [ + { + "id": "control-0659-stmt", + "name": "statement", + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0231", - "title": "Telephone systems", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0232", - "title": "Telephone systems", + "id": "control-0651", + "title": "Content filtering", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0233", - "title": "Telephone systems", + "id": "control-0652", + "title": "Content filtering", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0235", - "title": "Telephone systems", + "id": "control-1389", + "title": "Content filtering", "parts": [ { - "id": "control-0235-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0236", - "title": "Telephone systems", + "id": "control-1284", + "title": "Content filtering", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0931", - "title": "Telephone systems", + "id": "control-1286", + "title": "Content filtering", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0237", - "title": "Telephone systems", + "id": "control-1287", + "title": "Content filtering", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machines and multifunction devices", + "id": "control-1288", + "title": "Content filtering", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-1092", - "title": "Fax machines and multifunction devices", + "id": "control-1289", + "title": "Content filtering", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0241", - "title": "Fax machines and multifunction devices", + "id": "control-1290", + "title": "Content filtering", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1075", - "title": "Fax machines and multifunction devices", + "id": "control-1291", + "title": "Content filtering", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0590", - "title": "Fax machines and multifunction devices", + "id": "control-0649", + "title": "Content filtering", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0245", - "title": "Fax machines and multifunction devices", + "id": "control-1292", + "title": "Content filtering", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0589", - "title": "Fax machines and multifunction devices", + "id": "control-0677", + "title": "Content filtering", "parts": [ { - "id": "control-0589-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1036", - "title": "Fax machines and multifunction devices", + "id": "control-1293", + "title": "Content filtering", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] - } - ] - }, - { - "id": "guidelines_for_gateway_management", - "title": "Guidelines for Gateway Management", - "groups": [ + }, { - "id": "firewalls", - "title": "Firewalls", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1528", - "title": "Firewalls", + "id": "control-0663", + "title": "Data transfers", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-0639", - "title": "Firewalls", + "id": "control-0661", + "title": "Data transfers", "parts": [ { - "id": "control-0639-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1194", - "title": "Firewalls", + "id": "control-0665", + "title": "Data transfers", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-0641", - "title": "Firewalls", + "id": "control-0675", + "title": "Data transfers", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." } ] }, { - "id": "control-0642", - "title": "Firewalls", + "id": "control-0664", + "title": "Data transfers", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ + }, { - "id": "control-0628", - "title": "Gateways", + "id": "control-0657", + "title": "Data transfers", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1192", - "title": "Gateways", + "id": "control-0658", + "title": "Data transfers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0631", - "title": "Gateways", + "id": "control-1187", + "title": "Data transfers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Gateways:\n§ are the only communications paths into and out of internal networks\n§ allow only explicitly authorised connections\n§ are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n§ are protected by authentication, logging and auditing of all physical and logical access to gateway components\n§ have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1427", - "title": "Gateways", + "id": "control-0669", + "title": "Data transfers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "When exporting data, the following activities are undertaken:\n§ protective marking checks\n§ data format checks and logging\n§ monitoring to detect overuse/unusual usage patterns\n§ limitations on data types and sizes\n§ keyword searches on all textual data." } ] }, { - "id": "control-0634", - "title": "Gateways", + "id": "control-1535", + "title": "Data transfers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n§ log network traffic permitted through the gateway\n§ log network traffic attempting to leave the gateway\n§ are configured to save event logs to a secure logging facility\n§ provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-0637", - "title": "Gateways", + "id": "control-0678", + "title": "Data transfers", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1037", - "title": "Gateways", + "id": "control-0667", + "title": "Data transfers", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0667-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." } ] }, { - "id": "control-0611", - "title": "Gateways", + "id": "control-0660", + "title": "Data transfers", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." } ] }, { - "id": "control-0612", - "title": "Gateways", + "id": "control-0673", + "title": "Data transfers", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0673-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." } ] }, { - "id": "control-1520", - "title": "Gateways", + "id": "control-1294", + "title": "Data transfers", "parts": [ { - "id": "control-1520-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." } ] }, { - "id": "control-0613", - "title": "Gateways", + "id": "control-1295", + "title": "Data transfers", "parts": [ { - "id": "control-0613-stmt", + "id": "control-1295-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ + { + "id": "emanation_security", + "title": "Emanation security", + "controls": [ { - "id": "control-0616", - "title": "Gateways", + "id": "control-0247", + "title": "Emanation security", "parts": [ { - "id": "control-0616-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0629", - "title": "Gateways", + "id": "control-0248", + "title": "Emanation security", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0607", - "title": "Gateways", + "id": "control-1137", + "title": "Emanation security", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0619", - "title": "Gateways", + "id": "control-0932", + "title": "Emanation security", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0620", - "title": "Gateways", + "id": "control-0249", + "title": "Emanation security", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1039", - "title": "Gateways", + "id": "control-0246", + "title": "Emanation security", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0622", - "title": "Gateways", + "id": "control-0250", + "title": "Emanation security", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "diodes", - "title": "Diodes", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0643", - "title": "Diodes", + "id": "control-0181", + "title": "Cable management", "parts": [ { - "id": "control-0643-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA)." } ] }, { - "id": "control-0645", - "title": "Diodes", + "id": "control-0926", + "title": "Cable management", "parts": [ { - "id": "control-0645-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1157", - "title": "Diodes", + "id": "control-0825", + "title": "Cable management", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] }, { - "id": "control-1158", - "title": "Diodes", + "id": "control-0826", + "title": "Cable management", "parts": [ { - "id": "control-1158-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-0646", - "title": "Diodes", + "id": "control-1215", + "title": "Cable management", "parts": [ { - "id": "control-0646-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-0647", - "title": "Diodes", + "id": "control-1216", + "title": "Cable management", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-0648", - "title": "Diodes", + "id": "control-1112", + "title": "Cable management", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ + }, { - "id": "control-0626", - "title": "Cross Domain Solutions", + "id": "control-1118", + "title": "Cable management", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0597", - "title": "Cross Domain Solutions", + "id": "control-1119", + "title": "Cable management", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0627", - "title": "Cross Domain Solutions", + "id": "control-1126", + "title": "Cable management", "parts": [ { - "id": "control-0627-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0635", - "title": "Cross Domain Solutions", + "id": "control-0184", + "title": "Cable management", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1521", - "title": "Cross Domain Solutions", + "id": "control-0187", + "title": "Cable management", "parts": [ { - "id": "control-1521-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1522", - "title": "Cross Domain Solutions", + "id": "control-1111", + "title": "Cable management", "parts": [ { - "id": "control-1522-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-0670", - "title": "Cross Domain Solutions", + "id": "control-0189", + "title": "Cable management", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1523", - "title": "Cross Domain Solutions", + "id": "control-0190", + "title": "Cable management", "parts": [ { - "id": "control-1523-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-0610", - "title": "Cross Domain Solutions", + "id": "control-1114", + "title": "Cable management", "parts": [ { - "id": "control-0610-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] - } - ] - }, - { - "id": "web_content_and_connections", - "title": "Web content and connections", - "controls": [ + }, { - "id": "control-0258", - "title": "Web content and connections", + "id": "control-1130", + "title": "Cable management", "parts": [ { - "id": "control-0258-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-0260", - "title": "Web content and connections", + "id": "control-1164", + "title": "Cable management", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0261", - "title": "Web content and connections", + "id": "control-0195", + "title": "Cable management", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n§ address (uniform resource locator)\n§ time/date\n§ user\n§ amount of data uploaded and downloaded\n§ internal and external IP addresses." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-0263", - "title": "Web content and connections", + "id": "control-0194", + "title": "Cable management", "parts": [ { - "id": "control-0263-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n§ a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n§ a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-0996", - "title": "Web content and connections", + "id": "control-1102", + "title": "Cable management", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-0958", - "title": "Web content and connections", + "id": "control-1101", + "title": "Cable management", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1170", - "title": "Web content and connections", + "id": "control-1103", + "title": "Cable management", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-0959", - "title": "Web content and connections", + "id": "control-1098", + "title": "Cable management", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-0960", - "title": "Web content and connections", + "id": "control-1100", + "title": "Cable management", "parts": [ { - "id": "control-0960-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "If a list of blocked website is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1171", - "title": "Web content and connections", + "id": "control-1116", + "title": "Cable management", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1236", - "title": "Web content and connections", + "id": "control-1115", + "title": "Cable management", "parts": [ { - "id": "control-1236-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-0963", - "title": "Web content and connections", + "id": "control-1133", + "title": "Cable management", "parts": [ { - "id": "control-0963-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-0961", - "title": "Web content and connections", + "id": "control-1122", + "title": "Cable management", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1237", - "title": "Web content and connections", + "id": "control-1134", + "title": "Cable management", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Peripheral switches", + "id": "control-1104", + "title": "Cable management", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1480", - "title": "Peripheral switches", + "id": "control-1105", + "title": "Cable management", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1457", - "title": "Peripheral switches", + "id": "control-1106", + "title": "Cable management", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-0593", - "title": "Peripheral switches", + "id": "control-1107", + "title": "Cable management", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0594", - "title": "Peripheral switches", + "id": "control-1109", + "title": "Cable management", "parts": [ { - "id": "control-0594-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "Wall outlet box covers are clear plastic." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_network_management", - "title": "Guidelines for Network Management", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1458", - "title": "Service continuity for online services", + "id": "control-0198", + "title": "Cable management", "parts": [ { - "id": "control-1458-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1431", - "title": "Service continuity for online services", + "id": "control-1123", + "title": "Cable management", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n§ their capacity to withstand denial-of-service attacks\n§ any costs likely to be incurred by customers resulting from denial-of-service attacks\n§ thresholds for notifying customers or turning off their online services during denial-of-service attacks\n§ pre-approved actions that can be undertaken during denial-of-service attacks\n§ denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1432", - "title": "Service continuity for online services", + "id": "control-1135", + "title": "Cable management", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] - }, + } + ] + }, + { + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", + "controls": [ { - "id": "control-1433", - "title": "Service continuity for online services", + "id": "control-0201", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-1434", - "title": "Service continuity for online services", + "id": "control-0202", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1435", - "title": "Service continuity for online services", + "id": "control-0203", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1436", - "title": "Service continuity for online services", + "id": "control-0204", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1436-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1518", - "title": "Service continuity for online services", + "id": "control-1095", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1437", - "title": "Service continuity for online services", + "id": "control-1096", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1437-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1438", - "title": "Service continuity for online services", + "id": "control-0206", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1438-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1439", - "title": "Service continuity for online services", + "id": "control-0208", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "A cable register is maintained with the following information:\n§ cable identifier\n§ classification\n§ source\n§ destination\n§ site/floor plan diagram\n§ seal numbers (if applicable)." } ] }, { - "id": "control-1441", - "title": "Service continuity for online services", + "id": "control-0211", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1441-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + "prose": "Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan." } ] } ] }, { - "id": "wireless_networks", - "title": "Wireless networks", + "id": "cable_patching", + "title": "Cable patching", "controls": [ { - "id": "control-1314", - "title": "Wireless networks", + "id": "control-0213", + "title": "Cable patching", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0536", - "title": "Wireless networks", + "id": "control-1093", + "title": "Cable patching", "parts": [ { - "id": "control-0536-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1315", - "title": "Wireless networks", + "id": "control-0214", + "title": "Cable patching", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1316", - "title": "Wireless networks", + "id": "control-1094", + "title": "Cable patching", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1317", - "title": "Wireless networks", + "id": "control-0216", + "title": "Cable patching", "parts": [ { - "id": "control-1317-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1318", - "title": "Wireless networks", + "id": "control-0217", + "title": "Cable patching", "parts": [ { - "id": "control-1318-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n§ a physical barrier in the cabinet is provided to separate patch panels\n§ only personnel holding a Positive Vetting security clearance have access to the cabinet\n§ approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-1319", - "title": "Wireless networks", + "id": "control-0218", + "title": "Cable patching", "parts": [ { - "id": "control-1319-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1320", - "title": "Wireless networks", + "id": "control-0100", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1320-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." } ] }, { - "id": "control-1321", - "title": "Wireless networks", + "id": "control-1395", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1322", - "title": "Wireless networks", + "id": "control-1529", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." } ] }, { - "id": "control-1324", - "title": "Wireless networks", + "id": "control-0873", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1324-stmt", + "id": "control-0873-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." } ] }, { - "id": "control-1323", - "title": "Wireless networks", + "id": "control-0072", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1323-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." } ] }, { - "id": "control-1325", - "title": "Wireless networks", + "id": "control-1073", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1326", - "title": "Wireless networks", + "id": "control-1451", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." } ] }, { - "id": "control-1327", - "title": "Wireless networks", + "id": "control-1452", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ { - "id": "control-1330", - "title": "Wireless networks", + "id": "control-0938", + "title": "Application hardening", "parts": [ { - "id": "control-1330-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1454", - "title": "Wireless networks", + "id": "control-1467", + "title": "Application hardening", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1332", - "title": "Wireless networks", + "id": "control-1483", + "title": "Application hardening", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1334", - "title": "Wireless networks", + "id": "control-1412", + "title": "Application hardening", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1335", - "title": "Wireless networks", + "id": "control-1484", + "title": "Application hardening", "parts": [ { - "id": "control-1335-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-1338", - "title": "Wireless networks", + "id": "control-1485", + "title": "Application hardening", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-1013", - "title": "Wireless networks", + "id": "control-1486", + "title": "Application hardening", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "Web browsers are configured to block Java from the internet." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network design and configuration", + "id": "control-1541", + "title": "Application hardening", "parts": [ { - "id": "control-0516-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-0518", - "title": "Network design and configuration", + "id": "control-1542", + "title": "Application hardening", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1178", - "title": "Network design and configuration", + "id": "control-1470", + "title": "Application hardening", "parts": [ { - "id": "control-1178-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1181", - "title": "Network design and configuration", + "id": "control-1235", + "title": "Application hardening", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-1532", - "title": "Network design and configuration", + "id": "control-1487", + "title": "Application hardening", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0529", - "title": "Network design and configuration", + "id": "control-1488", + "title": "Application hardening", "parts": [ { - "id": "control-0529-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-1364", - "title": "Network design and configuration", + "id": "control-1489", + "title": "Application hardening", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-0535", - "title": "Network design and configuration", + "id": "control-1407", + "title": "Operating system hardening", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." } ] }, { - "id": "control-0530", - "title": "Network design and configuration", + "id": "control-1408", + "title": "Operating system hardening", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0521", - "title": "Network design and configuration", + "id": "control-1409", + "title": "Operating system hardening", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1186", - "title": "Network design and configuration", + "id": "control-0383", + "title": "Operating system hardening", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1428", - "title": "Network design and configuration", + "id": "control-0380", + "title": "Operating system hardening", "parts": [ { - "id": "control-1428-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1429", - "title": "Network design and configuration", + "id": "control-1491", + "title": "Operating system hardening", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-1430", - "title": "Network design and configuration", + "id": "control-1410", + "title": "Operating system hardening", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0520", - "title": "Network design and configuration", + "id": "control-1469", + "title": "Operating system hardening", "parts": [ { - "id": "control-0520-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1182", - "title": "Network design and configuration", + "id": "control-0382", + "title": "Operating system hardening", "parts": [ { - "id": "control-1182-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Users do not have the ability to install, uninstall or disable software." } ] }, { - "id": "control-1301", - "title": "Network design and configuration", + "id": "control-0843", + "title": "Operating system hardening", "parts": [ { - "id": "control-1301-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1304", - "title": "Network design and configuration", + "id": "control-1490", + "title": "Operating system hardening", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Aplication control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0534", - "title": "Network design and configuration", + "id": "control-0955", + "title": "Operating system hardening", "parts": [ { - "id": "control-0534-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0385", - "title": "Network design and configuration", + "id": "control-1471", + "title": "Operating system hardening", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1479", - "title": "Network design and configuration", + "id": "control-1392", + "title": "Operating system hardening", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1460", - "title": "Network design and configuration", + "id": "control-1544", + "title": "Operating system hardening", "parts": [ { - "id": "control-1460-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n§ the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n§ the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n§ the underlying operating system running on the server is hardened\n§ patches are applied to the isolation mechanism and underlying operating system in a timely manner\n§ integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1462", - "title": "Network design and configuration", + "id": "control-0846", + "title": "Operating system hardening", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-1461", - "title": "Network design and configuration", + "id": "control-0957", + "title": "Operating system hardening", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-1006", - "title": "Network design and configuration", + "id": "control-1414", + "title": "Operating system hardening", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-1311", - "title": "Network design and configuration", + "id": "control-1492", + "title": "Operating system hardening", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." } ] }, { - "id": "control-1312", - "title": "Network design and configuration", + "id": "control-1341", + "title": "Operating system hardening", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1028", - "title": "Network design and configuration", + "id": "control-1034", + "title": "Operating system hardening", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1030", - "title": "Network design and configuration", + "id": "control-1416", + "title": "Operating system hardening", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1185", - "title": "Network design and configuration", + "id": "control-1417", + "title": "Operating system hardening", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n§ signature-based detection enabled and set to a high level\n§ heuristic-based detection enabled and set to a high level\n§ detection signatures checked for currency and updated on at least a daily basis\n§ automatic and regular scanning configured for all fixed disks and removable media." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System-specific security documentation", - "parts": [ - { - "id": "control-0041-stmt", - "name": "statement", - "prose": "Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." - } - ] - }, - { - "id": "control-0043", - "title": "System-specific security documentation", + "id": "control-1390", + "title": "Operating system hardening", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Systems have an IRP that covers the following:\n§ guidelines on what constitutes a cyber security incident\n§ the types of incidents likely to be encountered and the expected response to each type\n§ how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n§ other parties which need to be informed in the event of a cyber security incident\n§ the authority, or authorities, responsible for investigating and responding to cyber security incidents\n§ the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n§ the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n§ system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1163", - "title": "System-specific security documentation", + "id": "control-1418", + "title": "Operating system hardening", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "A Continuous Monitoring Plan is developed and implemented that includes:\n§ conducting vulnerability assessments, vulnerability scans and penetration tests for systems at least annually throughout their life cycle to identify security vulnerabilities\n§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n§ using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." } ] } ] }, { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", + "id": "authentication_hardening", + "title": "Authentication hardening", "controls": [ { - "id": "control-0039", - "title": "Development and maintenance of security documentation", + "id": "control-1546", + "title": "Authentication hardening", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-0047", - "title": "Development and maintenance of security documentation", + "id": "control-0974", + "title": "Authentication hardening", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-0888", - "title": "Development and maintenance of security documentation", + "id": "control-1173", + "title": "Authentication hardening", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Cyber security awareness training", + "id": "control-1504", + "title": "Authentication hardening", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Ongoing cyber security awareness training is provided to personnel and includes:\n§ the purpose of the cyber security awareness training\n§ security appointments and contacts within the organisation\n§ the authorised use of systems and their resources\n§ the protection of systems and their resources\n§ reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-0817", - "title": "Cyber security awareness training", + "id": "control-1505", + "title": "Authentication hardening", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-0820", - "title": "Cyber security awareness training", + "id": "control-1401", + "title": "Authentication hardening", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1146", - "title": "Cyber security awareness training", + "id": "control-1559", + "title": "Authentication hardening", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-0821", - "title": "Cyber security awareness training", + "id": "control-1560", + "title": "Authentication hardening", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-0824", - "title": "Cyber security awareness training", + "id": "control-1561", + "title": "Authentication hardening", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "Access to systems and their resources", + "id": "control-1357", + "title": "Authentication hardening", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0434", - "title": "Access to systems and their resources", + "id": "control-0417", + "title": "Authentication hardening", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-0435", - "title": "Access to systems and their resources", + "id": "control-0421", + "title": "Authentication hardening", "parts": [ { - "id": "control-0435-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-0414", - "title": "Access to systems and their resources", + "id": "control-1557", + "title": "Authentication hardening", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0415", - "title": "Access to systems and their resources", + "id": "control-0422", + "title": "Authentication hardening", "parts": [ { - "id": "control-0415-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-0975", - "title": "Access to systems and their resources", + "id": "control-1558", + "title": "Authentication hardening", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Passphrases used for single-factor authentication:\n§ are not constructed from song lyrics, movies, literature or any other publicly available material\n§ do not form a real sentence in a natural language\n§ are not a list of categorised words." } ] }, { - "id": "control-0420", - "title": "Access to systems and their resources", + "id": "control-1403", + "title": "Authentication hardening", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1538", - "title": "Access to systems and their resources", + "id": "control-0431", + "title": "Authentication hardening", "parts": [ { - "id": "control-1538-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0405", - "title": "Access to systems and their resources", + "id": "control-0976", + "title": "Authentication hardening", "parts": [ { - "id": "control-0405-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." } ] }, { - "id": "control-1503", - "title": "Access to systems and their resources", + "id": "control-1227", + "title": "Authentication hardening", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." } ] }, { - "id": "control-0409", - "title": "Access to systems and their resources", + "id": "control-1055", + "title": "Authentication hardening", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-0411", - "title": "Access to systems and their resources", + "id": "control-0418", + "title": "Authentication hardening", "parts": [ { - "id": "control-0411-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0816", - "title": "Access to systems and their resources", + "id": "control-1402", + "title": "Authentication hardening", "parts": [ { - "id": "control-0816-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "Credentials are protected by ensuring:\n§ passwords/passphrases expire every 12 months\n§ passwords/passphrases are stored as salted hashes\n§ password/passphrase stretching is implemented\n§ passwords/passphrases that are compromised are revoked\n§ passwords/passphrases are never sent in the clear across networks." } ] }, { - "id": "control-1507", - "title": "Access to systems and their resources", + "id": "control-0428", + "title": "Authentication hardening", "parts": [ { - "id": "control-1507-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Systems are configured with a session or screen lock that:\n§ activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n§ completely conceals all information on the screen\n§ ensures that the screen does not enter a power saving state before the screen or session lock is activated\n§ requires the user to reauthenticate to unlock the system\n§ denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1508", - "title": "Access to systems and their resources", + "id": "control-0408", + "title": "Authentication hardening", "parts": [ { - "id": "control-1508-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0445", - "title": "Access to systems and their resources", + "id": "control-0979", + "title": "Authentication hardening", "parts": [ { - "id": "control-0445-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, - { - "id": "control-1509", - "title": "Access to systems and their resources", - "parts": [ - { - "id": "control-1509-stmt", + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ + { + "id": "control-0400", + "title": "Application development", + "parts": [ + { + "id": "control-0400-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Software development, testing and production environments are segregated." } ] }, { - "id": "control-1175", - "title": "Access to systems and their resources", + "id": "control-1419", + "title": "Application development", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-0448", - "title": "Access to systems and their resources", + "id": "control-1420", + "title": "Application development", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-0446", - "title": "Access to systems and their resources", + "id": "control-1422", + "title": "Application development", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-0447", - "title": "Access to systems and their resources", + "id": "control-1238", + "title": "Application development", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1545", - "title": "Access to systems and their resources", + "id": "control-0401", + "title": "Application development", "parts": [ { - "id": "control-1545-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-0430", - "title": "Access to systems and their resources", + "id": "control-0402", + "title": "Application development", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1404", - "title": "Access to systems and their resources", + "id": "control-1239", + "title": "Web application development", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0407", - "title": "Access to systems and their resources", + "id": "control-1552", + "title": "Web application development", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n§ all personnel authorised to access the system, and their user identification\n§ who provided authorisation for access\n§ when access was granted\n§ the level of access that was granted\n§ when access, and the level of access, was last reviewed\n§ when the level of access was changed, and to what extent (if applicable)\n§ when access was withdrawn (if applicable)." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0441", - "title": "Access to systems and their resources", + "id": "control-1240", + "title": "Web application development", "parts": [ { - "id": "control-0441-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-0443", - "title": "Access to systems and their resources", + "id": "control-1241", + "title": "Web application development", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0078", - "title": "Access to systems and their resources", + "id": "control-1424", + "title": "Web application development", "parts": [ { - "id": "control-0078-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-0854", - "title": "Access to systems and their resources", + "id": "control-0971", + "title": "Web application development", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] } @@ -4572,2739 +4570,2803 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_using_cryptography", + "title": "Guidelines for Using Cryptography", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "secure_shell", + "title": "Secure Shell", "controls": [ { - "id": "control-1546", - "title": "Authentication hardening", + "id": "control-1506", + "title": "Secure Shell", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0974", - "title": "Authentication hardening", + "id": "control-0484", + "title": "Secure Shell", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1173", - "title": "Authentication hardening", + "id": "control-0485", + "title": "Secure Shell", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1504", - "title": "Authentication hardening", + "id": "control-1449", + "title": "Secure Shell", "parts": [ { - "id": "control-1504-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1505", - "title": "Authentication hardening", + "id": "control-0487", + "title": "Secure Shell", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n§ access from IP addresses that do not require access\n§ port forwarding\n§ agent credential forwarding\n§ X11 display remoting\n§ console access." } ] }, { - "id": "control-1401", - "title": "Authentication hardening", + "id": "control-0488", + "title": "Secure Shell", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1559", - "title": "Authentication hardening", + "id": "control-0489", + "title": "Secure Shell", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ { - "id": "control-1560", - "title": "Authentication hardening", + "id": "control-0471", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." } ] }, { - "id": "control-1561", - "title": "Authentication hardening", + "id": "control-0994", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1357", - "title": "Authentication hardening", + "id": "control-0472", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0417", - "title": "Authentication hardening", + "id": "control-0473", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0421", - "title": "Authentication hardening", + "id": "control-1446", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1557", - "title": "Authentication hardening", + "id": "control-0474", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0422", - "title": "Authentication hardening", + "id": "control-0475", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-1558", - "title": "Authentication hardening", + "id": "control-0476", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n§ are not constructed from song lyrics, movies, literature or any other publicly available material\n§ do not form a real sentence in a natural language\n§ are not a list of categorised words." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1403", - "title": "Authentication hardening", + "id": "control-0477", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0431", - "title": "Authentication hardening", + "id": "control-1054", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-0976", - "title": "Authentication hardening", + "id": "control-0479", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1227", - "title": "Authentication hardening", + "id": "control-0480", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1055", - "title": "Authentication hardening", + "id": "control-1232", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0418", - "title": "Authentication hardening", + "id": "control-1468", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-1402", - "title": "Authentication hardening", + "id": "control-0490", + "title": "Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1402-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "Credentials are protected by ensuring:\n§ passwords/passphrases expire every 12 months\n§ passwords/passphrases are stored as salted hashes\n§ password/passphrase stretching is implemented\n§ passwords/passphrases that are compromised are revoked\n§ passwords/passphrases are never sent in the clear across networks." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0428", - "title": "Authentication hardening", + "id": "control-1139", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0428-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n§ activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n§ completely conceals all information on the screen\n§ ensures that the screen does not enter a power saving state before the screen or session lock is activated\n§ requires the user to reauthenticate to unlock the system\n§ denies users the ability to disable the session or screen locking mechanism." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0408", - "title": "Authentication hardening", + "id": "control-1369", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0408-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0979", - "title": "Authentication hardening", + "id": "control-1370", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Only server-initiated secure renegotiation is used." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1407", - "title": "Operating system hardening", + "id": "control-1372", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-1408", - "title": "Operating system hardening", + "id": "control-1448", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1408-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1409", - "title": "Operating system hardening", + "id": "control-1373", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1409-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-0383", - "title": "Operating system hardening", + "id": "control-1374", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0380", - "title": "Operating system hardening", + "id": "control-1375", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0380-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1491", - "title": "Operating system hardening", + "id": "control-1553", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1491-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1410", - "title": "Operating system hardening", + "id": "control-1453", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1469", - "title": "Operating system hardening", + "id": "control-0501", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0382", - "title": "Operating system hardening", + "id": "control-0142", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Users do not have the ability to install, uninstall or disable software." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0843", - "title": "Operating system hardening", + "id": "control-1091", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1490", - "title": "Operating system hardening", + "id": "control-0499", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Aplication control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0955", - "title": "Operating system hardening", + "id": "control-0505", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1471", - "title": "Operating system hardening", + "id": "control-0506", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-1392", - "title": "Operating system hardening", + "id": "control-1161", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1544", - "title": "Operating system hardening", + "id": "control-0457", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0846", - "title": "Operating system hardening", + "id": "control-0460", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0957", - "title": "Operating system hardening", + "id": "control-0459", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1414", - "title": "Operating system hardening", + "id": "control-0461", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1492", - "title": "Operating system hardening", + "id": "control-1080", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1492-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1341", - "title": "Operating system hardening", + "id": "control-0455", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1034", - "title": "Operating system hardening", + "id": "control-0462", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1416", - "title": "Operating system hardening", + "id": "control-1162", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1416-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1417", - "title": "Operating system hardening", + "id": "control-0465", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n§ signature-based detection enabled and set to a high level\n§ heuristic-based detection enabled and set to a high level\n§ detection signatures checked for currency and updated on at least a daily basis\n§ automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1390", - "title": "Operating system hardening", + "id": "control-0467", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1418", - "title": "Operating system hardening", + "id": "control-0469", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", "controls": [ { - "id": "control-0938", - "title": "Application hardening", + "id": "control-0481", + "title": "ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1467", - "title": "Application hardening", + "id": "control-0494", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1483", - "title": "Application hardening", + "id": "control-0496", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1412", - "title": "Application hardening", + "id": "control-1233", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1412-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1484", - "title": "Application hardening", + "id": "control-0497", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1485", - "title": "Application hardening", + "id": "control-0498", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1486", - "title": "Application hardening", + "id": "control-0998", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1541", - "title": "Application hardening", + "id": "control-0999", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1542", - "title": "Application hardening", + "id": "control-1000", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1470", - "title": "Application hardening", + "id": "control-1001", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_network_management", + "title": "Guidelines for Network Management", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-1235", - "title": "Application hardening", + "id": "control-1458", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1235-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-1487", - "title": "Application hardening", + "id": "control-1431", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n§ their capacity to withstand denial-of-service attacks\n§ any costs likely to be incurred by customers resulting from denial-of-service attacks\n§ thresholds for notifying customers or turning off their online services during denial-of-service attacks\n§ pre-approved actions that can be undertaken during denial-of-service attacks\n§ denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-1488", - "title": "Application hardening", + "id": "control-1432", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-1489", - "title": "Application hardening", + "id": "control-1433", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1489-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging and auditing", + "id": "control-1434", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1405", - "title": "Event logging and auditing", + "id": "control-1435", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1405-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0988", - "title": "Event logging and auditing", + "id": "control-1436", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0988-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0584", - "title": "Event logging and auditing", + "id": "control-1518", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0584-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] }, { - "id": "control-0582", - "title": "Event logging and auditing", + "id": "control-1437", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n§ access to important data and processes\n§ application crashes and any error messages\n§ attempts to use special privileges\n§ changes to accounts\n§ changes to security policy\n§ changes to system configurations\n§ Domain Name System (DNS) and Hypertext Transfer Protocol requests\n§ failed attempts to access data and system resources\n§ service failures and restarts\n§ system startup and shutdown\n§ transfer of data to external media\n§ user or group management\n§ use of special privileges." + "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." } ] }, { - "id": "control-1536", - "title": "Event logging and auditing", + "id": "control-1438", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n§ attempted access that is denied\n§ crashes and any error messages\n§ search queries initiated by users." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-1537", - "title": "Event logging and auditing", + "id": "control-1439", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n§ access to particularly important information\n§ addition of new users, especially privileged users\n§ any query containing comments\n§ any query containing multiple embedded queries\n§ any query or database alerts or failures\n§ attempts to elevate privileges\n§ attempted access that is successful or unsuccessful\n§ changes to the database structure\n§ changes to user roles or database permissions\n§ database administrator actions\n§ database logons and logoffs\n§ modifications to data\n§ use of executable commands." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0585", - "title": "Event logging and auditing", + "id": "control-1441", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0586", - "title": "Event logging and auditing", + "id": "control-1314", + "title": "Wireless networks", "parts": [ { - "id": "control-0586-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0859", - "title": "Event logging and auditing", + "id": "control-0536", + "title": "Wireless networks", "parts": [ { - "id": "control-0859-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0991", - "title": "Event logging and auditing", + "id": "control-1315", + "title": "Wireless networks", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0109", - "title": "Event logging and auditing", + "id": "control-1316", + "title": "Wireless networks", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-1228", - "title": "Event logging and auditing", + "id": "control-1317", + "title": "Wireless networks", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1318", + "title": "Wireless networks", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1319", + "title": "Wireless networks", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents", + "id": "control-1320", + "title": "Wireless networks", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Managing cyber security incidents", + "id": "control-1321", + "title": "Wireless networks", "parts": [ { - "id": "control-0125-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n§ the date the cyber security incident occurred\n§ the date the cyber security incident was discovered\n§ a description of the cyber security incident\n§ any actions taken in response to the cyber security incident\n§ to whom the cyber security incident was reported." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0133", - "title": "Managing cyber security incidents", + "id": "control-1322", + "title": "Wireless networks", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0917", - "title": "Managing cyber security incidents", + "id": "control-1324", + "title": "Wireless networks", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n§ the infected systems are isolated\n§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n§ antivirus software is used to remove the infection from infected systems and media\n§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0137", - "title": "Managing cyber security incidents", + "id": "control-1323", + "title": "Wireless networks", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-1213", - "title": "Managing cyber security incidents", + "id": "control-1325", + "title": "Wireless networks", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0138", - "title": "Managing cyber security incidents", + "id": "control-1326", + "title": "Wireless networks", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Detecting cyber security incidents", + "id": "control-1327", + "title": "Wireless networks", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0120", - "title": "Detecting cyber security incidents", + "id": "control-1330", + "title": "Wireless networks", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems_management", - "title": "Guidelines for Database Systems Management", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Database servers", + "id": "control-1454", + "title": "Wireless networks", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-1269", - "title": "Database servers", + "id": "control-1332", + "title": "Wireless networks", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1277", - "title": "Database servers", + "id": "control-1334", + "title": "Wireless networks", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1270", - "title": "Database servers", + "id": "control-1335", + "title": "Wireless networks", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1271", - "title": "Database servers", + "id": "control-1338", + "title": "Wireless networks", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1272", - "title": "Database servers", + "id": "control-1013", + "title": "Wireless networks", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." - } - ] - }, - { - "id": "control-1273", - "title": "Database servers", - "parts": [ - { - "id": "control-1273-stmt", - "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] } ] }, { - "id": "database_management_system_software", - "title": "Database management system software", + "id": "network_design_and_configuration", + "title": "Network design and configuration", "controls": [ { - "id": "control-1245", - "title": "Database management system software", + "id": "control-0516", + "title": "Network design and configuration", "parts": [ { - "id": "control-1245-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1246", - "title": "Database management system software", + "id": "control-0518", + "title": "Network design and configuration", "parts": [ { - "id": "control-1246-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1247", - "title": "Database management system software", + "id": "control-1178", + "title": "Network design and configuration", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1249", - "title": "Database management system software", + "id": "control-1181", + "title": "Network design and configuration", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1250", - "title": "Database management system software", + "id": "control-1532", + "title": "Network design and configuration", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1251", - "title": "Database management system software", + "id": "control-0529", + "title": "Network design and configuration", "parts": [ { - "id": "control-1251-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1260", - "title": "Database management system software", + "id": "control-1364", + "title": "Network design and configuration", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1262", - "title": "Database management system software", + "id": "control-0535", + "title": "Network design and configuration", "parts": [ { - "id": "control-1262-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-1261", - "title": "Database management system software", + "id": "control-0530", + "title": "Network design and configuration", "parts": [ { - "id": "control-1261-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-1263", - "title": "Database management system software", + "id": "control-0521", + "title": "Network design and configuration", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1264", - "title": "Database management system software", + "id": "control-1186", + "title": "Network design and configuration", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Databases", + "id": "control-1428", + "title": "Network design and configuration", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1256", - "title": "Databases", + "id": "control-1429", + "title": "Network design and configuration", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1252", - "title": "Databases", + "id": "control-1430", + "title": "Network design and configuration", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0393", - "title": "Databases", + "id": "control-0520", + "title": "Network design and configuration", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-1255", - "title": "Databases", + "id": "control-1182", + "title": "Network design and configuration", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-1268", - "title": "Databases", + "id": "control-1301", + "title": "Network design and configuration", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-1258", - "title": "Databases", + "id": "control-1304", + "title": "Network design and configuration", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1274", - "title": "Databases", + "id": "control-0534", + "title": "Network design and configuration", "parts": [ { - "id": "control-1274-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-1275", - "title": "Databases", + "id": "control-0385", + "title": "Network design and configuration", "parts": [ { - "id": "control-1275-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1276", - "title": "Databases", + "id": "control-1479", + "title": "Network design and configuration", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1278", - "title": "Databases", + "id": "control-1460", + "title": "Network design and configuration", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n§ the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n§ the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n§ the underlying operating system running on the server is hardened\n§ patches are applied to the isolation mechanism and underlying operating system in a timely manner\n§ integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage", + "id": "control-1462", + "title": "Network design and configuration", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1083", - "title": "Mobile device usage", + "id": "control-1461", + "title": "Network design and configuration", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] }, { - "id": "control-0240", - "title": "Mobile device usage", + "id": "control-1006", + "title": "Network design and configuration", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0866", - "title": "Mobile device usage", + "id": "control-1311", + "title": "Network design and configuration", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1145", - "title": "Mobile device usage", + "id": "control-1312", + "title": "Network design and configuration", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0871", - "title": "Mobile device usage", + "id": "control-1028", + "title": "Network design and configuration", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." } ] }, { - "id": "control-0870", - "title": "Mobile device usage", + "id": "control-1030", + "title": "Network design and configuration", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1084", - "title": "Mobile device usage", + "id": "control-1185", + "title": "Network design and configuration", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-0701", - "title": "Mobile device usage", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0702", - "title": "Mobile device usage", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0702-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1298", - "title": "Mobile device usage", + "id": "control-0140", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1298-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Cyber security incidents are reported to the ACSC." } ] - }, + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ { - "id": "control-1554", - "title": "Mobile device usage", + "id": "control-0125", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n§ issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n§ advised on how to apply and inspect tamper seals to key areas of devices\n§ advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "A cyber security incident register is maintained with the following information:\n§ the date the cyber security incident occurred\n§ the date the cyber security incident was discovered\n§ a description of the cyber security incident\n§ any actions taken in response to the cyber security incident\n§ to whom the cyber security incident was reported." } ] }, { - "id": "control-1555", - "title": "Mobile device usage", + "id": "control-0133", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n§ record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n§ update all applications and operating systems\n§ remove all non-essential accounts, applications and data\n§ apply security configuration settings, such as lock screens\n§ configure remote locate and wipe functionality\n§ enable encryption, including for any media used\n§ backup all important data and configuration settings." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-1299", - "title": "Mobile device usage", + "id": "control-0917", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n§ never storing credentials with devices that they grant access to, such as in laptop bags\n§ never lending devices to untrusted people, even if briefly\n§ never allowing untrusted people to connect other devices or media to their devices, including for charging\n§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n§ avoiding connecting devices to open or untrusted Wi-Fi networks\n§ using an approved Virtual Private Network to encrypt all device communications\n§ using encrypted mobile applications for communications instead of using foreign telecommunication networks\n§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n§ avoiding reuse of media once used with other parties’ devices or systems\n§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n§ never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n§ the infected systems are isolated\n§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n§ antivirus software is used to remove the infection from infected systems and media\n§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1088", - "title": "Mobile device usage", + "id": "control-0137", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n§ provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n§ have devices or media stolen that are later returned\n§ lose devices or media that are later found\n§ observe unusual behaviour of devices." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1300", - "title": "Mobile device usage", + "id": "control-1213", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n§ sanitise and reset devices, including all media used with them\n§ decommission any physical credentials that left their possession during their travel\n§ report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1556", - "title": "Mobile device usage", + "id": "control-0138", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n§ reset user credentials used with devices, including those used for remote access to their organisation’s systems\n§ monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", "controls": [ { - "id": "control-1533", - "title": "Mobile device management", + "id": "control-0576", + "title": "Detecting cyber security incidents", "parts": [ { - "id": "control-1533-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-1195", - "title": "Mobile device management", + "id": "control-0120", + "title": "Detecting cyber security incidents", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems_management", + "title": "Guidelines for Database Systems Management", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-0687", - "title": "Mobile device management", + "id": "control-1425", + "title": "Database servers", "parts": [ { - "id": "control-0687-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1400", - "title": "Mobile device management", + "id": "control-1269", + "title": "Database servers", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0694", - "title": "Mobile device management", + "id": "control-1277", + "title": "Database servers", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1297", - "title": "Mobile device management", + "id": "control-1270", + "title": "Database servers", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1482", - "title": "Mobile device management", + "id": "control-1271", + "title": "Database servers", "parts": [ { - "id": "control-1482-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-0869", - "title": "Mobile device management", + "id": "control-1272", + "title": "Database servers", "parts": [ { - "id": "control-0869-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1085", - "title": "Mobile device management", + "id": "control-1273", + "title": "Database servers", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1202", - "title": "Mobile device management", + "id": "control-1243", + "title": "Databases", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-0682", - "title": "Mobile device management", + "id": "control-1256", + "title": "Databases", "parts": [ { - "id": "control-0682-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1196", - "title": "Mobile device management", + "id": "control-1252", + "title": "Databases", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1200", - "title": "Mobile device management", + "id": "control-0393", + "title": "Databases", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-1198", - "title": "Mobile device management", + "id": "control-1255", + "title": "Databases", "parts": [ { - "id": "control-1198-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1199", - "title": "Mobile device management", + "id": "control-1268", + "title": "Databases", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0863", - "title": "Mobile device management", + "id": "control-1258", + "title": "Databases", "parts": [ { - "id": "control-0863-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-0864", - "title": "Mobile device management", + "id": "control-1274", + "title": "Databases", "parts": [ { - "id": "control-0864-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1365", - "title": "Mobile device management", + "id": "control-1275", + "title": "Databases", "parts": [ { - "id": "control-1365-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1366", - "title": "Mobile device management", + "id": "control-1276", + "title": "Databases", "parts": [ { - "id": "control-1366-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-0874", - "title": "Mobile device management", + "id": "control-1278", + "title": "Databases", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + } + ] + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ + { + "id": "control-1245", + "title": "Database management system software", + "parts": [ + { + "id": "control-1245-stmt", + "name": "statement", + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0705", - "title": "Mobile device management", + "id": "control-1246", + "title": "Database management system software", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "DBMS software is configured according to vendor guidance." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Cable labelling and registration", + "id": "control-1247", + "title": "Database management system software", "parts": [ { - "id": "control-0201-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-0202", - "title": "Cable labelling and registration", + "id": "control-1249", + "title": "Database management system software", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0203", - "title": "Cable labelling and registration", + "id": "control-1250", + "title": "Database management system software", "parts": [ { - "id": "control-0203-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0204", - "title": "Cable labelling and registration", + "id": "control-1251", + "title": "Database management system software", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1095", - "title": "Cable labelling and registration", + "id": "control-1260", + "title": "Database management system software", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1096", - "title": "Cable labelling and registration", + "id": "control-1262", + "title": "Database management system software", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0206", - "title": "Cable labelling and registration", + "id": "control-1261", + "title": "Database management system software", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0208", - "title": "Cable labelling and registration", + "id": "control-1263", + "title": "Database management system software", "parts": [ { - "id": "control-0208-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n§ cable identifier\n§ classification\n§ source\n§ destination\n§ site/floor plan diagram\n§ seal numbers (if applicable)." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-0211", - "title": "Cable labelling and registration", + "id": "control-1264", + "title": "Database management system software", "parts": [ { - "id": "control-0211-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ { - "id": "cable_patching", - "title": "Cable patching", + "id": "system_owners", + "title": "System owners", "controls": [ { - "id": "control-0213", - "title": "Cable patching", + "id": "control-1071", + "title": "System owners", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1093", - "title": "Cable patching", + "id": "control-1525", + "title": "System owners", "parts": [ { - "id": "control-1093-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-0214", - "title": "Cable patching", + "id": "control-0027", + "title": "System owners", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-1094", - "title": "Cable patching", + "id": "control-1526", + "title": "System owners", "parts": [ { - "id": "control-1094-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + } + ] + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ + { + "id": "control-0714", + "title": "Chief Information Security Officer", + "parts": [ + { + "id": "control-0714-stmt", + "name": "statement", + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-0216", - "title": "Cable patching", + "id": "control-1478", + "title": "Chief Information Security Officer", "parts": [ { - "id": "control-0216-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_email_management", + "title": "Guidelines for Email Management", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ + { + "id": "control-0569", + "title": "Email gateways and servers", + "parts": [ + { + "id": "control-0569-stmt", + "name": "statement", + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-0217", - "title": "Cable patching", + "id": "control-0571", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n§ a physical barrier in the cabinet is provided to separate patch panels\n§ only personnel holding a Positive Vetting security clearance have access to the cabinet\n§ approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-0218", - "title": "Cable patching", + "id": "control-0570", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security", + "id": "control-0567", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-0248", - "title": "Emanation security", + "id": "control-0572", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0248-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-1137", - "title": "Emanation security", + "id": "control-0574", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0932", - "title": "Emanation security", + "id": "control-1183", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-0249", - "title": "Emanation security", + "id": "control-1151", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-0246", - "title": "Emanation security", + "id": "control-1152", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-0250", - "title": "Emanation security", + "id": "control-0861", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0250-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable management", + "id": "control-1026", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA)." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0926", - "title": "Cable management", + "id": "control-1027", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-0825", - "title": "Cable management", + "id": "control-1540", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-0826", - "title": "Cable management", + "id": "control-1234", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1215", - "title": "Cable management", + "id": "control-1502", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1216", - "title": "Cable management", + "id": "control-1024", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1112", - "title": "Cable management", + "id": "control-0264", + "title": "Email usage", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1118", - "title": "Cable management", + "id": "control-0267", + "title": "Email usage", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1119", - "title": "Cable management", + "id": "control-0270", + "title": "Email usage", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1126", - "title": "Cable management", + "id": "control-0271", + "title": "Email usage", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-0184", - "title": "Cable management", + "id": "control-0272", + "title": "Email usage", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-0187", - "title": "Cable management", + "id": "control-1089", + "title": "Email usage", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-1111", - "title": "Cable management", + "id": "control-0565", + "title": "Email usage", "parts": [ { - "id": "control-1111-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0189", - "title": "Cable management", + "id": "control-1023", + "title": "Email usage", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-0190", - "title": "Cable management", + "id": "control-0269", + "title": "Email usage", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] }, { - "id": "control-1114", - "title": "Cable management", + "id": "control-1539", + "title": "Email usage", "parts": [ { - "id": "control-1114-stmt", + "id": "control-1539-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1130", - "title": "Cable management", + "id": "control-0039", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-1130-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1164", - "title": "Cable management", + "id": "control-0047", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-1164-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-0195", - "title": "Cable management", + "id": "control-0888", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-0194", - "title": "Cable management", + "id": "control-0041", + "title": "System-specific security documentation", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1102", - "title": "Cable management", + "id": "control-0043", + "title": "System-specific security documentation", "parts": [ { - "id": "control-1102-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Systems have an IRP that covers the following:\n§ guidelines on what constitutes a cyber security incident\n§ the types of incidents likely to be encountered and the expected response to each type\n§ how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n§ other parties which need to be informed in the event of a cyber security incident\n§ the authority, or authorities, responsible for investigating and responding to cyber security incidents\n§ the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n§ the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n§ system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-1101", - "title": "Cable management", + "id": "control-1163", + "title": "System-specific security documentation", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "A Continuous Monitoring Plan is developed and implemented that includes:\n§ conducting vulnerability assessments, vulnerability scans and penetration tests for systems at least annually throughout their life cycle to identify security vulnerabilities\n§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n§ using a risk-based approach to prioritise the implementation of identified mitigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1103", - "title": "Cable management", + "id": "control-0252", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1103-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Ongoing cyber security awareness training is provided to personnel and includes:\n§ the purpose of the cyber security awareness training\n§ security appointments and contacts within the organisation\n§ the authorised use of systems and their resources\n§ the protection of systems and their resources\n§ reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1098", - "title": "Cable management", + "id": "control-0817", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-1100", - "title": "Cable management", + "id": "control-0820", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1116", - "title": "Cable management", + "id": "control-1146", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1115", - "title": "Cable management", + "id": "control-0821", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1133", - "title": "Cable management", + "id": "control-0824", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1122", - "title": "Cable management", + "id": "control-0432", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1122-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." } ] }, { - "id": "control-1134", - "title": "Cable management", + "id": "control-0434", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1134-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1104", - "title": "Cable management", + "id": "control-0435", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1105", - "title": "Cable management", + "id": "control-0414", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1105-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1106", - "title": "Cable management", + "id": "control-0415", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1106-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1107", - "title": "Cable management", + "id": "control-0975", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1107-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1109", - "title": "Cable management", + "id": "control-0420", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0198", - "title": "Cable management", + "id": "control-1538", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1123", - "title": "Cable management", + "id": "control-0405", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1123-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1135", - "title": "Cable management", + "id": "control-1503", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media", + "id": "control-0409", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media", + "id": "control-0411", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0161", - "title": "ICT equipment and media", + "id": "control-0816", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0161-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1507", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0225", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1508", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0829", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0445", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1058", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1509", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0222", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1175", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0222-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0223", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0448", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with unprotected windows." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0224", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0446", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-0221", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0447", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities and systems", + "id": "control-1545", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0810-stmt", + "id": "control-1545-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." } ] }, { - "id": "control-1053", - "title": "Facilities and systems", + "id": "control-0430", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1530", - "title": "Facilities and systems", + "id": "control-1404", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1530-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-0813", - "title": "Facilities and systems", + "id": "control-0407", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A secure record is maintained for the life of each system covering:\n§ all personnel authorised to access the system, and their user identification\n§ who provided authorisation for access\n§ when access was granted\n§ the level of access that was granted\n§ when access, and the level of access, was last reviewed\n§ when the level of access was changed, and to what extent (if applicable)\n§ when access was withdrawn (if applicable)." } ] }, { - "id": "control-1074", - "title": "Facilities and systems", + "id": "control-0441", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0157", - "title": "Facilities and systems", + "id": "control-0443", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1296", - "title": "Facilities and systems", + "id": "control-0078", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0164", - "title": "Facilities and systems", + "id": "control-0854", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] } @@ -7313,895 +7375,833 @@ ] }, { - "id": "guidelines_for_data_transfers_and_content_filtering", - "title": "Guidelines for Data Transfers and Content Filtering", + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", "groups": [ { - "id": "content_filtering", - "title": "Content filtering", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-0659", - "title": "Content filtering", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0659-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-0546", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1524-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0651", - "title": "Content filtering", + "id": "control-0547", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0652", - "title": "Content filtering", + "id": "control-0548", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1389", - "title": "Content filtering", + "id": "control-0554", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1389-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-1284", - "title": "Content filtering", + "id": "control-0553", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1286", - "title": "Content filtering", + "id": "control-0555", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1286-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1287", - "title": "Content filtering", + "id": "control-0551", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1287-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "IP telephony is configured such that:\n§ IP phones authenticate themselves to the call controller upon registration\n§ auto-registration is disabled and only authorised devices are allowed to access the network\n§ unauthorised devices are blocked by default\n§ all unused and prohibited functionality is disabled." } ] }, { - "id": "control-1288", - "title": "Content filtering", + "id": "control-1014", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1288-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-1289", - "title": "Content filtering", + "id": "control-0549", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-1290", - "title": "Content filtering", + "id": "control-0556", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1290-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-1291", - "title": "Content filtering", + "id": "control-1015", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0649", - "title": "Content filtering", + "id": "control-0558", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1292", - "title": "Content filtering", + "id": "control-0559", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0677", - "title": "Content filtering", + "id": "control-1450", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0677-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-1293", - "title": "Content filtering", + "id": "control-1019", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "A denial of service response plan is developed and implemented that includes:\n§ how to identify signs of a denial of service\n§ how to identify the source of a denial of service\n§ how capabilities can be maintained during a denial of service\n§ what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0663", - "title": "Data transfers", - "parts": [ - { - "id": "control-0663-stmt", - "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." - } - ] - }, - { - "id": "control-0661", - "title": "Data transfers", - "parts": [ - { - "id": "control-0661-stmt", - "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." - } - ] - }, - { - "id": "control-0665", - "title": "Data transfers", - "parts": [ - { - "id": "control-0665-stmt", - "name": "statement", - "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." - } - ] - }, - { - "id": "control-0675", - "title": "Data transfers", + "id": "control-1078", + "title": "Telephone systems", "parts": [ { - "id": "control-0675-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0664", - "title": "Data transfers", + "id": "control-0229", + "title": "Telephone systems", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0657", - "title": "Data transfers", + "id": "control-0230", + "title": "Telephone systems", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0658", - "title": "Data transfers", + "id": "control-0231", + "title": "Telephone systems", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-1187", - "title": "Data transfers", + "id": "control-0232", + "title": "Telephone systems", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0669", - "title": "Data transfers", + "id": "control-0233", + "title": "Telephone systems", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n§ protective marking checks\n§ data format checks and logging\n§ monitoring to detect overuse/unusual usage patterns\n§ limitations on data types and sizes\n§ keyword searches on all textual data." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-1535", - "title": "Data transfers", + "id": "control-0235", + "title": "Telephone systems", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0678", - "title": "Data transfers", + "id": "control-0236", + "title": "Telephone systems", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0667", - "title": "Data transfers", + "id": "control-0931", + "title": "Telephone systems", "parts": [ { - "id": "control-0667-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0660", - "title": "Data transfers", + "id": "control-0237", + "title": "Telephone systems", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0673", - "title": "Data transfers", + "id": "control-0588", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0673-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1294", - "title": "Data transfers", + "id": "control-1092", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1295", - "title": "Data transfers", + "id": "control-0241", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1295-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment_management", - "title": "Guidelines for ICT Equipment Management", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1075", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0590", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0245", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0589", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1036", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0315", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1510", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1218", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1547", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0312", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1548", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0317", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1511", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1219", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1512", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-1220", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1513", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-1221", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1514", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0318", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1515", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1534", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1516", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1076", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1211", + "title": "Change management", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n§ identification and documentation of requests for change\n§ approval required for changes to be made\n§ implementation and testing of approved changes\n§ the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1222", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0042", + "title": "System administration", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1223", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1380", + "title": "System administration", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n§ following device-specific guidance provided by the ACSC\n§ following vendor sanitisation guidance\n§ loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, - { - "id": "control-1225", - "title": "ICT equipment sanitisation and disposal", + { + "id": "control-1382", + "title": "System administration", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1226", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1381", + "title": "System administration", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "ICT equipment maintenance and repairs", + "id": "control-1383", + "title": "System administration", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-0305", - "title": "ICT equipment maintenance and repairs", + "id": "control-1384", + "title": "System administration", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." } ] }, { - "id": "control-0307", - "title": "ICT equipment maintenance and repairs", + "id": "control-1385", + "title": "System administration", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0306", - "title": "ICT equipment maintenance and repairs", + "id": "control-1386", + "title": "System administration", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n§ is appropriately cleared and briefed\n§ takes due care to ensure that information is not disclosed\n§ takes all responsible measures to ensure the integrity of the ICT equipment\n§ has the authority to direct the technician\n§ is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-0310", - "title": "ICT equipment maintenance and repairs", + "id": "control-1387", + "title": "System administration", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-0944", - "title": "ICT equipment maintenance and repairs", + "id": "control-1388", + "title": "System administration", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1551", - "title": "ICT equipment usage", + "id": "control-1143", + "title": "System patching", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-0293", - "title": "ICT equipment usage", + "id": "control-1493", + "title": "System patching", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0294", - "title": "ICT equipment usage", + "id": "control-1144", + "title": "System patching", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0296", - "title": "ICT equipment usage", - "parts": [ - { - "id": "control-0296-stmt", - "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ - { - "id": "control-0714", - "title": "Chief Information Security Officer", + "id": "control-0940", + "title": "System patching", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1478", - "title": "Chief Information Security Officer", + "id": "control-1472", + "title": "System patching", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System owners", + "id": "control-1494", + "title": "System patching", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1525", - "title": "System owners", + "id": "control-1495", + "title": "System patching", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0027", - "title": "System owners", + "id": "control-1496", + "title": "System patching", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1526", - "title": "System owners", + "id": "control-0300", + "title": "System patching", "parts": [ { - "id": "control-1526-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-0100", - "title": "Information technology and cloud services", + "id": "control-0298", + "title": "System patching", "parts": [ { - "id": "control-0100-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1395", - "title": "Information technology and cloud services", + "id": "control-0303", + "title": "System patching", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1529", - "title": "Information technology and cloud services", + "id": "control-1497", + "title": "System patching", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-0873", - "title": "Information technology and cloud services", + "id": "control-1498", + "title": "System patching", "parts": [ { - "id": "control-0873-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-0072", - "title": "Information technology and cloud services", + "id": "control-1499", + "title": "System patching", "parts": [ { - "id": "control-0072-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1073", - "title": "Information technology and cloud services", + "id": "control-1500", + "title": "System patching", "parts": [ { - "id": "control-1073-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1451", - "title": "Information technology and cloud services", + "id": "control-0304", + "title": "System patching", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1452", - "title": "Information technology and cloud services", + "id": "control-1501", + "title": "System patching", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_April_2021/catalog.json b/ISM_catalog_profile/catalogs/ISM_April_2021/catalog.json index 00f8e52..9041d06 100644 --- a/ISM_catalog_profile/catalogs/ISM_April_2021/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_April_2021/catalog.json @@ -1,1301 +1,1135 @@ { "catalog": { - "uuid": "85301d72-6df4-4851-8c4c-58e87b747157", + "uuid": "6110d1e6-0221-458f-b969-7796eb374389", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:18.926+00:00", + "last-modified": "2022-04-28T11:43:31.232703+10:00", "version": "April_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." - } - ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ - { - "id": "control-1510", - "title": "Digital preservation policy", - "parts": [ - { - "id": "control-1510-stmt", - "name": "statement", - "prose": "A digital preservation policy is developed and implemented." - } - ] - }, - { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", - "parts": [ - { - "id": "control-1547-stmt", - "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", - "parts": [ - { - "id": "control-1548-stmt", - "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." - } - ] - }, - { - "id": "control-1511", - "title": "Performing backups", - "parts": [ - { - "id": "control-1511-stmt", - "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." - } - ] - }, - { - "id": "control-1512", - "title": "Backup storage", - "parts": [ - { - "id": "control-1512-stmt", - "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." - } - ] - }, - { - "id": "control-1513", - "title": "Backup storage", - "parts": [ - { - "id": "control-1513-stmt", - "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." - } - ] - }, - { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1514-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1515-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] } ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ + }, { - "id": "firewalls", - "title": "Firewalls", + "id": "email_usage", + "title": "Email usage", "controls": [ { - "id": "control-1528", - "title": "Using firewalls", - "parts": [ - { - "id": "control-1528-stmt", - "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-0639", - "title": "Using firewalls", - "parts": [ - { - "id": "control-0639-stmt", - "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." - } - ] - }, - { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", - "parts": [ - { - "id": "control-0642-stmt", - "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." - } - ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ - { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-0631-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1427-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0634-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0637-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0336", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "ICT equipment and media are secured when not in use." } ] - }, + } + ] + }, + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0613-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0616", - "title": "Gateway administration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0616-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0629-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0619-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1039-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] } ] }, { - "id": "diodes", - "title": "Diodes", + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", "controls": [ { - "id": "control-0643", - "title": "Using diodes", - "parts": [ - { - "id": "control-0643-stmt", - "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-0645", - "title": "Using diodes", - "parts": [ - { - "id": "control-0645-stmt", - "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-1157", - "title": "Using diodes", - "parts": [ - { - "id": "control-1157-stmt", - "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." - } - ] - }, - { - "id": "control-1158", - "title": "Using diodes", - "parts": [ - { - "id": "control-1158-stmt", - "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." - } - ] - }, - { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0648", - "title": "Volume checking", - "parts": [ - { - "id": "control-0648-stmt", - "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." - } - ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ - { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1389-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_management", + "title": "Mobile device management", + "controls": [ { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1289-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1290-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0649-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0677", - "title": "Data integrity", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-0677-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-1293", - "title": "Encrypted data", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ + }, { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0626-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0627-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0635-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0610-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0961-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0996-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0958-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_proxies", - "title": "Web proxies", - "controls": [ + }, { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0261-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0594-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] } @@ -1388,748 +1222,842 @@ ] }, { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", "groups": [ { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1578-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-1580-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + } + ] + }, + { + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", + "parts": [ + { + "id": "control-0249-stmt", + "name": "statement", + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + } + ] + }, + { + "id": "control-0246", + "title": "Early identification of emanation security issues", + "parts": [ + { + "id": "control-0246-stmt", + "name": "statement", + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + } + ] + }, + { + "id": "control-0250", + "title": "Industry and government standards", + "parts": [ + { + "id": "control-0250-stmt", + "name": "statement", + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + } + ] + } + ] + }, + { + "id": "cabling_infrastructure", + "title": "Cabling infrastructure", + "controls": [ + { + "id": "control-0181", + "title": "Cabling infrastructure standards", + "parts": [ + { + "id": "control-0181-stmt", + "name": "statement", + "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." + } + ] + }, + { + "id": "control-1111", + "title": "Use of fibre-optic cables", + "parts": [ + { + "id": "control-1111-stmt", + "name": "statement", + "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." + } + ] + }, + { + "id": "control-0211", + "title": "Cable register", + "parts": [ + { + "id": "control-0211-stmt", + "name": "statement", + "prose": "A cable register is maintained and regularly audited." + } + ] + }, + { + "id": "control-0208", + "title": "Cable register", + "parts": [ + { + "id": "control-0208-stmt", + "name": "statement", + "prose": "Cable registers contain the following information:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + } + ] + }, + { + "id": "control-0206", + "title": "Cable labelling process and procedures", + "parts": [ + { + "id": "control-0206-stmt", + "name": "statement", + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1639", + "title": "Labelling building management cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1639-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1640", + "title": "Labelling cables for foreign systems in Australian facilities", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1640-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "Cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1112", + "title": "Cable inspectability", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-1118", + "title": "Cable inspectability", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-1119", + "title": "Cable inspectability", "parts": [ { - "id": "control-1435-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1126", + "title": "Cable inspectability", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-0184", + "title": "Cable inspectability", "parts": [ { - "id": "control-1518-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-0187", + "title": "Cable groups", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "The cable groups in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single cable group." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "With fibre-optic cables contains subunits, each subunit only carries a single cable group; however, each subunit can carry a different cable group." } ] }, { - "id": "control-1316", - "title": "Default Service Set Identifiers", + "id": "control-1114", + "title": "Common cable reticulation systems", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1319-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on cable reticulation systems." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1320-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-0201", + "title": "Labelling conduits", "parts": [ { - "id": "control-1321-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "In shared non-government facilities, cables are not run in party walls." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different classifications." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Different cables groups do not share a wall outlet box." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Wall outlet boxes denote the classifications, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-1334-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "If fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1335-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "In non-TOP SECRET areas, cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network documentation", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0516-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0213", + "title": "Terminating cable groups on patch panels", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Different cable groups do not terminate on the same patch panel." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-1116", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-0216", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1577-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-0217", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1532-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-1631", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1631-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Components and services relevant to the security of systems are identified and understood." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Suppliers and service providers identified as high risk are not used." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-1632", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1632-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1637", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1637-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "An outsourced cloud services register is maintained and regularly audited." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1638", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1638-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1628-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } @@ -2138,2537 +2066,2477 @@ ] }, { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", "groups": [ { - "id": "web_application_development", - "title": "Web application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-1239-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Web browsers are configured to block web advertisements." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + } + ] + }, + { + "id": "control-1488", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1488-stmt", + "name": "statement", + "prose": "Microsoft Office macros in documents originating from the internet are blocked." + } + ] + }, + { + "id": "control-1489", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1489-stmt", + "name": "statement", + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] } ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ + }, { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", + "id": "operating_system_hardening", + "title": "Operating system hardening", "controls": [ { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-0551-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0559-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-1019-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1269-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1270-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0393-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-1274-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1275-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1603", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1055", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1620", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Privileged accounts are members of the Protected Users security group." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0272-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0269-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", "controls": [ { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0569-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1589-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0574-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1183-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1152-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", - "parts": [ - { - "id": "control-1024-stmt", - "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", - "groups": [ - { - "id": "transport_layer_security", - "title": "Transport Layer Security", - "controls": [ - { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, - { - "id": "control-1372", - "title": "Using Transport Layer Security", + { + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Cyber security incidents are reported to the ACSC." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1629", - "title": "Using Diffie-Hellman", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1629-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1630", - "title": "Using the Digital Signature Algorithm", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-1630-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0474-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-0476-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", - "parts": [ - { - "id": "control-1468-stmt", - "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." - } - ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ - { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "The default SSID of wireless access points is changed." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1000-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1602-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1583-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1071", + "title": "System ownership and oversight", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1525", + "title": "System ownership and oversight", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "System owners register each system with its authorising officer." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1633", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1633-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1634", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1634-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1635", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1635-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "System owners implement identified security controls within each system and its operating environment." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1636", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1636-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0027", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1526", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1591-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1610-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1611-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] } @@ -4677,1864 +4545,1962 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0417-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "Data transfer logs are fully audited at least monthly." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ + { + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", + "parts": [ + { + "id": "control-0313-stmt", + "name": "statement", + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0321", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0321-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1595-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1619-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1219-stmt", + "name": "statement", + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + } + ] + }, + { + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1220-stmt", + "name": "statement", + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + } + ] + }, + { + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-1603", - "title": "Insecure authentication methods", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1603-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-1055", - "title": "Insecure authentication methods", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-1620", - "title": "Insecure authentication methods", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1620-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0853-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1406-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1608-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1588-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, - { - "id": "control-0382", - "title": "Application management", + { + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-0955", - "title": "Application control", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-1641", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1622-stmt", + "id": "control-1641-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "Following destruction of magnetic media using a degausser, the magnetic media is physically damaged by deforming the internal platters by any means prior to disposal." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1623-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1624-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision (in consultation with information owners) is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "media_usage", + "title": "Media usage", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-0938-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1467-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0323", + "title": "Classifying media", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media, unless the media has been classified to a higher sensitivity or classification." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0325", + "title": "Reclassifying media", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "In order to reclassify media to a lower sensitivity or classification, the media is sanitised (unless the media is read-only) and a formal administrative decision (in consultation with information owners) is made to reclassify the media." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1486-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Media is sanitised before it is used for the first time." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-1642", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1642-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Media is sanitised before it is reused in a different security domain." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Media is only used with systems that are authorised to process, store or communicate the sensitivity or classification of the media." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports or by physical means." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer." } ] } ] }, { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1461-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-0582-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ + { + "id": "control-1506", + "title": "Configuring Secure Shell", + "parts": [ + { + "id": "control-1506-stmt", + "name": "statement", + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ + }, { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0123-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1629", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1629-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", - "parts": [ - { - "id": "control-0140-stmt", - "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." - } - ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ - { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1630-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0137-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1625-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1626-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ + }, { - "id": "mobile_device_usage", - "title": "Mobile device usage", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", "controls": [ { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Only AACPs are used by cryptographic equipment and software." + } + ] + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ + { + "id": "control-0494", + "title": "Mode of operation", + "parts": [ + { + "id": "control-0494-stmt", + "name": "statement", + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } @@ -6543,2479 +6509,2513 @@ ] }, { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", "groups": [ { - "id": "cabling_infrastructure", - "title": "Cabling infrastructure", + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", "controls": [ { - "id": "control-0181", - "title": "Cabling infrastructure standards", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0211", - "title": "Cable register", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "A cable register is maintained and regularly audited." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Cable registers contain the following information:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1639", - "title": "Labelling building management cables", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1639-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." + } + ] + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ + { + "id": "control-0432", + "title": "System access requirements", + "parts": [ + { + "id": "control-0432-stmt", + "name": "statement", + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-1640", - "title": "Labelling cables for foreign systems in Australian facilities", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-1640-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-1216-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "Cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1112", - "title": "Cable inspectability", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1118", - "title": "Cable inspectability", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1119", - "title": "Cable inspectability", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1126", - "title": "Cable inspectability", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0184", - "title": "Cable inspectability", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0187", - "title": "Cable groups", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "The cable groups in the following table are used (see source document for referenced table)." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single cable group." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "With fibre-optic cables contains subunits, each subunit only carries a single cable group; however, each subunit can carry a different cable group." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1114", - "title": "Common cable reticulation systems", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on cable reticulation systems." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1509", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1509-stmt", + "name": "statement", + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + } + ] + }, + { + "id": "control-1175", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1175-stmt", + "name": "statement", + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + } + ] + }, + { + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0201", - "title": "Labelling conduits", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in party walls." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different classifications." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1105-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Different cables groups do not share a wall outlet box." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1095-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classifications, cable identifiers and wall outlet box identifier." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-0213", - "title": "Terminating cable groups on patch panels", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Different cable groups do not terminate on the same patch panel." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1116", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0216", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-0216-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-0217", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-0217-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Test and development environments do not use the same database servers as production environments." } ] } ] }, { - "id": "emanation_security", - "title": "Emanation security", + "id": "databases", + "title": "Databases", "controls": [ { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-0932-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-0321", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0321-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0310-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1551-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0296-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0829-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0223-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-1074-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + } + ] + }, + { + "id": "control-0610", + "title": "User training", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] } ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ + }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "web_proxies", + "title": "Web proxies", "controls": [ { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] } ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ + }, { - "id": "media_destruction", - "title": "Media destruction", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", - "parts": [ - { - "id": "control-0363-stmt", - "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." - } - ] - }, - { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0350-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1641", - "title": "Degaussing magnetic media", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-1641-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Following destruction of magnetic media using a degausser, the magnetic media is physically damaged by deforming the internal platters by any means prior to disposal." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, - { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + { + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1549-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0323", - "title": "Classifying media", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media, unless the media has been classified to a higher sensitivity or classification." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0325", - "title": "Reclassifying media", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "In order to reclassify media to a lower sensitivity or classification, the media is sanitised (unless the media is read-only) and a formal administrative decision (in consultation with information owners) is made to reclassify the media." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0831-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-0332", - "title": "Labelling media", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0332-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Media is sanitised before it is used for the first time." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-1642", - "title": "Connecting media to systems", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-1642-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Media is sanitised before it is reused in a different security domain." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Media is only used with systems that are authorised to process, store or communicate the sensitivity or classification of the media." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports or by physical means." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer." + "prose": "Individual logins are used for IP phones." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision (in consultation with information owners) is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0378-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Traditional analog phones are used in public areas." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, - { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ + { + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1464-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ + }, { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", "controls": [ { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-1617-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0725-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0726-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0718-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0731-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", - "parts": [ - { - "id": "control-0735-stmt", - "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." - } - ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ - { - "id": "control-1071", - "title": "System ownership and oversight", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1525", - "title": "System ownership and oversight", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "System owners register each system with its authorising officer." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1633", - "title": "Protecting systems and their resources", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1633-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1634", - "title": "Protecting systems and their resources", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-1634-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1635", - "title": "Protecting systems and their resources", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1635-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "System owners implement identified security controls within each system and its operating environment." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1636", - "title": "Protecting systems and their resources", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1636-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0027", - "title": "Protecting systems and their resources", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1526", - "title": "Protecting systems and their resources", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-1631", - "title": "Cyber supply chain risk management", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1631-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are identified and understood." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "Suppliers and service providers identified as high risk are not used." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1632", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1632-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1637", - "title": "Outsourced cloud services", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1637-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "An outsourced cloud services register is maintained and regularly audited." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1638", - "title": "Outsourced cloud services", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1638-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_August_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_August_2020/catalog.json index 8f84214..fa35125 100644 --- a/ISM_catalog_profile/catalogs/ISM_August_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_August_2020/catalog.json @@ -1,7917 +1,7967 @@ { "catalog": { - "uuid": "63ef7b19-98bf-4979-b5dd-770698fda0b1", + "uuid": "ff4e204e-cf28-4a52-b4e2-b7b4978c0573", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:56.666+00:00", + "last-modified": "2022-04-28T11:44:47.291385+10:00", "version": "August_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." - } - ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ - { - "id": "control-1510", - "title": "Digital preservation policy", - "parts": [ - { - "id": "control-1510-stmt", - "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1511", - "title": "Performing backups", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1511-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1528-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1194-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-1539", + "title": "Email distribution lists", "parts": [ { - "id": "control-0642-stmt", + "id": "control-1539-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ { - "id": "gateways", - "title": "Gateways", + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0336", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0631-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "ICT equipment and media are secured when not in use." } ] - }, + } + ] + }, + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0637-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0611-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0613-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ + { + "id": "control-1543", + "title": "Radio Frequency devices", + "parts": [ + { + "id": "control-1543-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + } + ] + }, + { + "id": "control-0221", + "title": "Wireless RF pointing devices", + "parts": [ + { + "id": "control-0221-stmt", + "name": "statement", + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", - "parts": [ - { - "id": "control-1292-stmt", - "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1293-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", - "parts": [ - { - "id": "control-1315-stmt", - "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1316-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "High risk suppliers and service providers are not used." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1395", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1312-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", - "parts": [ - { - "id": "control-1185-stmt", - "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ - { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "application_development", - "title": "Application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0400", - "title": "Development environments", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", - "parts": [ - { - "id": "control-0236-stmt", - "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." - } - ] - }, - { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", - "parts": [ - { - "id": "control-0237-stmt", - "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." - } - ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ - { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0588-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-0245-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0589-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1418", + "title": "Endpoint device control software", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." } ] } ] }, { - "id": "database_management_system_software", - "title": "Database management system software", + "id": "authentication_hardening", + "title": "Authentication hardening", "controls": [ { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1246-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1227", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1593", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1594", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1595", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1603", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1055", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-1089-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-1023-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0269-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-1539", - "title": "Email distribution lists", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-1539-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1589-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0574-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", - "groups": [ + }, { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0123-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Cyber security incidents are reported to the ACSC." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1446-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-1054-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0487-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "The default SSID of wireless access points is changed." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "SSID broadcasting is enabled on wireless networks." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0498-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-0998-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Organisation networks are segregated from service provider networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0043-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1564-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." - } - ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ - { - "id": "control-0039", - "title": "Cyber security strategy", - "parts": [ - { - "id": "control-0039-stmt", - "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1602-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0824-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Unused physical ports on network devices are disabled." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0434-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1583-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1538", - "title": "User identification", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-1538-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1525", + "title": "Responsibilities", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-0027", + "title": "Responsibilities", "parts": [ { - "id": "control-1503-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1526", + "title": "Responsibilities", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1587", + "title": "Responsibilities", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-0714", + "title": "Cyber security leadership", "parts": [ { - "id": "control-0411-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-0816", - "title": "Standard access to systems by foreign nationals", + "id": "control-1478", + "title": "Responsibilities", "parts": [ { - "id": "control-0816-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1507-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1508-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-0445-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1509-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-0448-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-0446-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1545", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1545-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1591-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1610-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1611-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1612-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1615-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0974-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1173-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1504-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1505-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1401-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1560-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1357-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1227", - "title": "Setting and resetting credentials", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1227-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-1595-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0431-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1603", - "title": "Unsecure authentication methods", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1603-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1055", - "title": "Unsecure authentication methods", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-0418-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1597-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-0853-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1406-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1608-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1588-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-0382", - "title": "Application management", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-0843-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-0955", - "title": "Application control", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-0955-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1582-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1392-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", - "parts": [ + "id": "control-0337", + "title": "Connecting media to systems", + "parts": [ { - "id": "control-1492-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0345", + "title": "External interface connections that allow Direct Memory Access", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1418", - "title": "Endpoint device control software", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1418-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application selection", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] - }, + } + ] + }, + { + "id": "media_sanitisation", + "title": "Media sanitisation", + "controls": [ { - "id": "control-1483", - "title": "Application versions", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1486-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1489-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "secure_shell", + "title": "Secure Shell", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1460-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1606-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-1607-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ + }, { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1537-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "AACAs are used in an evaluated implementation." + } + ] + }, + { + "id": "control-1468", + "title": "Protecting highly classified information", + "parts": [ + { + "id": "control-1468-stmt", + "name": "statement", + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ + }, { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-0123-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Versions of S/MIME earlier than 3.0 are not used." + } + ] + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ + { + "id": "control-1139", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1139-stmt", + "name": "statement", + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + } + ] + }, + { + "id": "control-1373", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1373-stmt", + "name": "statement", + "prose": "Anonymous DH is not used." + } + ] + }, + { + "id": "control-1374", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1374-stmt", + "name": "statement", + "prose": "SHA-2-based certificates are used." + } + ] + }, + { + "id": "control-1375", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1375-stmt", + "name": "statement", + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + } + ] + }, + { + "id": "control-1553", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1553-stmt", + "name": "statement", + "prose": "TLS compression is disabled." + } + ] + }, + { + "id": "control-1453", + "title": "Perfect Forward Secrecy", + "parts": [ + { + "id": "control-1453-stmt", + "name": "statement", + "prose": "PFS is used for TLS connections." } ] } ] }, { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", + "id": "cryptographic_system_management", + "title": "Cryptographic system management", "controls": [ { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", + "parts": [ + { + "id": "control-0499-stmt", + "name": "statement", + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + } + ] + }, + { + "id": "control-0505", + "title": "Storing cryptographic equipment", + "parts": [ + { + "id": "control-0505-stmt", + "name": "statement", + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + } + ] + }, + { + "id": "control-0506", + "title": "Storing cryptographic equipment", + "parts": [ + { + "id": "control-0506-stmt", + "name": "statement", + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + } + ] + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ + { + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-1083-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0866-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1145-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-0871-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-0870-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1084-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-1298-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ + }, { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1538", + "title": "User identification", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0864-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-1365-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0874-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-0816", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0705-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0201-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0206-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-1545", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0211-stmt", - "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." - } - ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + "id": "control-1545-stmt", + "name": "statement", + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + } + ] + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1093-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0214-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0250-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ { - "id": "cable_management", - "title": "Cable management", + "id": "database_servers", + "title": "Database servers", "controls": [ { - "id": "control-0181", - "title": "Cable standards", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1119-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1114-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1106-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1107-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0198-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0313-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0315-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-1218-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0307-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0306-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] - } - ] - }, - { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", - "controls": [ + }, { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-0293-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0296-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-1599-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] } ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ + }, { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", + "id": "web_content_filters", + "title": "Web content filters", "controls": [ { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-1543-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0225-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0224-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1053-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1530-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + } + ] + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ + { + "id": "control-0628", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-0628-stmt", + "name": "statement", + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0665-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } @@ -7920,872 +7970,822 @@ ] }, { - "id": "guidelines_for_media", - "title": "Guidelines for Media", + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0363-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0350-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0838-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "media_usage", - "title": "Media usage", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-1549", - "title": "Media management policy", - "parts": [ - { - "id": "control-1549-stmt", - "name": "statement", - "prose": "A media management policy is developed and implemented." - } - ] - }, - { - "id": "control-1359", - "title": "Removable media usage policy", - "parts": [ - { - "id": "control-1359-stmt", - "name": "statement", - "prose": "A removable media usage policy is developed and implemented." - } - ] - }, - { - "id": "control-0323", - "title": "Classifying media storing information", - "parts": [ - { - "id": "control-0323-stmt", - "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." - } - ] - }, - { - "id": "control-0325", - "title": "Classifying media connected to systems", - "parts": [ - { - "id": "control-0325-stmt", - "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." - } - ] - }, - { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0331-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0345", - "title": "External interface connections that allow Direct Memory Access", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-1059", - "title": "Handling media", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-0347-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0351-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0354-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-1067-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0356-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-0357-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0836-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0358-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ + }, { - "id": "control-0714", - "title": "Cyber security leadership", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0714-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1478", - "title": "Responsibilities", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1525", - "title": "Responsibilities", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0027", - "title": "Responsibilities", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1526", - "title": "Responsibilities", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1587", - "title": "Responsibilities", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ + }, { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "High risk suppliers and service providers are not used." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Cyber supply chain risk management", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_December_2019/catalog.json b/ISM_catalog_profile/catalogs/ISM_December_2019/catalog.json index d92183a..44d7a14 100644 --- a/ISM_catalog_profile/catalogs/ISM_December_2019/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_December_2019/catalog.json @@ -1,444 +1,606 @@ { "catalog": { - "uuid": "67cf3833-8fae-46f8-8d10-ee8e6b383f72", + "uuid": "4216b5eb-2619-4b91-aad9-6e5d9f086dab", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:21:31.150+00:00", + "last-modified": "2022-03-23T20:28:13.152324+11:00", "version": "December_2019", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", "controls": [ { - "id": "control-0042", - "title": "System administration", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1380", - "title": "System administration", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1380-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1382", - "title": "System administration", + "id": "control-0140", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "Cyber security incidents are reported to the ACSC." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-1381", - "title": "System administration", + "id": "control-0576", + "title": "Detecting cyber security incidents", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-1383", - "title": "System administration", + "id": "control-0120", + "title": "Detecting cyber security incidents", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes." } ] - }, + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ { - "id": "control-1384", - "title": "System administration", + "id": "control-0125", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." + "prose": "A cyber security incident register is maintained with the following information:\n§ the date the cyber security incident occurred\n§ the date the cyber security incident was discovered\n§ a description of the cyber security incident\n§ any actions taken in response to the cyber security incident\n§ to whom the cyber security incident was reported." } ] }, { - "id": "control-1385", - "title": "System administration", + "id": "control-0133", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1385-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-1386", - "title": "System administration", + "id": "control-0917", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1386-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n§ the infected systems are isolated\n§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n§ antivirus software is used to remove the infection from infected systems and media\n§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1387", - "title": "System administration", + "id": "control-0137", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1388", - "title": "System administration", + "id": "control-1213", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1388-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management", + "id": "control-0138", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n§ identification and documentation of requests for change\n§ approval required for changes to be made\n§ implementation and testing of approved changes\n§ the maintenance of system and security documentation." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ { - "id": "system_patching", - "title": "System patching", + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", "controls": [ { - "id": "control-1143", - "title": "System patching", + "id": "control-0280", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1493", - "title": "System patching", + "id": "control-0285", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1144", - "title": "System patching", + "id": "control-0286", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-1144-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] - }, + } + ] + }, + { + "id": "evaluated_product_usage", + "title": "Evaluated product usage", + "controls": [ { - "id": "control-0940", - "title": "System patching", + "id": "control-0289", + "title": "Evaluated product usage", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-1472", - "title": "System patching", + "id": "control-0290", + "title": "Evaluated product usage", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-1494", - "title": "System patching", + "id": "control-0292", + "title": "Evaluated product usage", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers_and_content_filtering", + "title": "Guidelines for Data Transfers and Content Filtering", + "groups": [ + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ { - "id": "control-1495", - "title": "System patching", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-1496", - "title": "System patching", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-1496-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0300", - "title": "System patching", + "id": "control-0651", + "title": "Content filtering", "parts": [ { - "id": "control-0300-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0298", - "title": "System patching", + "id": "control-0652", + "title": "Content filtering", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0303", - "title": "System patching", + "id": "control-1389", + "title": "Content filtering", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-1497", - "title": "System patching", + "id": "control-1284", + "title": "Content filtering", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-1498", - "title": "System patching", + "id": "control-1286", + "title": "Content filtering", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-1499", - "title": "System patching", + "id": "control-1287", + "title": "Content filtering", "parts": [ { - "id": "control-1499-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-1500", - "title": "System patching", + "id": "control-1288", + "title": "Content filtering", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0304", - "title": "System patching", + "id": "control-1289", + "title": "Content filtering", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-1501", - "title": "System patching", + "id": "control-1290", + "title": "Content filtering", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + } + ] + }, + { + "id": "control-1291", + "title": "Content filtering", + "parts": [ + { + "id": "control-1291-stmt", + "name": "statement", + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + } + ] + }, + { + "id": "control-0649", + "title": "Content filtering", + "parts": [ + { + "id": "control-0649-stmt", + "name": "statement", + "prose": "A whitelist of permitted content types is created and enforced based on business requirements and the results of a risk assessment." + } + ] + }, + { + "id": "control-1292", + "title": "Content filtering", + "parts": [ + { + "id": "control-1292-stmt", + "name": "statement", + "prose": "The integrity of content is verified where applicable and blocked if verification fails." + } + ] + }, + { + "id": "control-0677", + "title": "Content filtering", + "parts": [ + { + "id": "control-0677-stmt", + "name": "statement", + "prose": "If data is signed, the signature is validated before the data is exported." + } + ] + }, + { + "id": "control-1293", + "title": "Content filtering", + "parts": [ + { + "id": "control-1293-stmt", + "name": "statement", + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1510", - "title": "Data backup and restoration", + "id": "control-0663", + "title": "Data transfers", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration", + "id": "control-0661", + "title": "Data transfers", "parts": [ { - "id": "control-1547-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration", + "id": "control-0665", + "title": "Data transfers", "parts": [ { - "id": "control-1548-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1511", - "title": "Data backup and restoration", + "id": "control-0675", + "title": "Data transfers", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." } ] }, { - "id": "control-1512", - "title": "Data backup and restoration", + "id": "control-0664", + "title": "Data transfers", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1513", - "title": "Data backup and restoration", + "id": "control-0657", + "title": "Data transfers", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1514", - "title": "Data backup and restoration", + "id": "control-0658", + "title": "Data transfers", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1515", - "title": "Data backup and restoration", + "id": "control-1187", + "title": "Data transfers", "parts": [ { - "id": "control-1515-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1516", - "title": "Data backup and restoration", + "id": "control-0669", + "title": "Data transfers", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "When exporting data, the following activities are undertaken:\n§ protective marking checks\n§ data format checks and logging\n§ monitoring to detect overuse/unusual usage patterns\n§ limitations on data types and sizes\n§ keyword searches on all textual data." + } + ] + }, + { + "id": "control-1535", + "title": "Data transfers", + "parts": [ + { + "id": "control-1535-stmt", + "name": "statement", + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + } + ] + }, + { + "id": "control-0678", + "title": "Data transfers", + "parts": [ + { + "id": "control-0678-stmt", + "name": "statement", + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + } + ] + }, + { + "id": "control-0667", + "title": "Data transfers", + "parts": [ + { + "id": "control-0667-stmt", + "name": "statement", + "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." + } + ] + }, + { + "id": "control-0660", + "title": "Data transfers", + "parts": [ + { + "id": "control-0660-stmt", + "name": "statement", + "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + } + ] + }, + { + "id": "control-0673", + "title": "Data transfers", + "parts": [ + { + "id": "control-0673-stmt", + "name": "statement", + "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + } + ] + }, + { + "id": "control-1294", + "title": "Data transfers", + "parts": [ + { + "id": "control-1294-stmt", + "name": "statement", + "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." + } + ] + }, + { + "id": "control-1295", + "title": "Data transfers", + "parts": [ + { + "id": "control-1295-stmt", + "name": "statement", + "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." } ] } @@ -751,1365 +913,1153 @@ ] }, { - "id": "guidelines_for_media_management", - "title": "Guidelines for Media Management", + "id": "guidelines_for_database_systems_management", + "title": "Guidelines for Database Systems Management", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "database_servers", + "title": "Database servers", "controls": [ { - "id": "control-0363", - "title": "Media destruction", + "id": "control-1425", + "title": "Database servers", "parts": [ { - "id": "control-0363-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-0350", - "title": "Media destruction", + "id": "control-1269", + "title": "Database servers", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n§ microfiche and microfilm\n§ optical discs\n§ programmable read-only memory\n§ read-only memory\n§ other types of media that cannot be sanitised\n§ faulty media that cannot be successfully sanitised." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1361", - "title": "Media destruction", + "id": "control-1277", + "title": "Database servers", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1160", - "title": "Media destruction", + "id": "control-1270", + "title": "Database servers", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1517", - "title": "Media destruction", + "id": "control-1271", + "title": "Database servers", "parts": [ { - "id": "control-1517-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Network access controls are implemented to restrict database servers’ communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-0366", - "title": "Media destruction", + "id": "control-1272", + "title": "Database servers", "parts": [ { - "id": "control-0366-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-0368", - "title": "Media destruction", + "id": "control-1273", + "title": "Database servers", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-0361", - "title": "Media destruction", + "id": "control-1243", + "title": "Databases", "parts": [ { - "id": "control-0361-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-0838", - "title": "Media destruction", + "id": "control-1256", + "title": "Databases", "parts": [ { - "id": "control-0838-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-0362", - "title": "Media destruction", + "id": "control-1252", + "title": "Databases", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0370", - "title": "Media destruction", + "id": "control-0393", + "title": "Databases", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0371", - "title": "Media destruction", + "id": "control-1255", + "title": "Databases", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-0372", - "title": "Media destruction", + "id": "control-1268", + "title": "Databases", "parts": [ { - "id": "control-0372-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0373", - "title": "Media destruction", + "id": "control-1258", + "title": "Databases", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-0840", - "title": "Media destruction", + "id": "control-1274", + "title": "Databases", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-0839", - "title": "Media destruction", + "id": "control-1275", + "title": "Databases", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media usage", + "id": "control-1276", + "title": "Databases", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1359", - "title": "Media usage", + "id": "control-1278", + "title": "Databases", "parts": [ { - "id": "control-1359-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0323", - "title": "Media usage", + "id": "control-1245", + "title": "Database management system software", "parts": [ { - "id": "control-0323-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0325", - "title": "Media usage", + "id": "control-1246", + "title": "Database management system software", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-0331", - "title": "Media usage", + "id": "control-1247", + "title": "Database management system software", "parts": [ { - "id": "control-0331-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-0330", - "title": "Media usage", + "id": "control-1249", + "title": "Database management system software", "parts": [ { - "id": "control-0330-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0332", - "title": "Media usage", + "id": "control-1250", + "title": "Database management system software", "parts": [ { - "id": "control-0332-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0337", - "title": "Media usage", + "id": "control-1251", + "title": "Database management system software", "parts": [ { - "id": "control-0337-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-0341", - "title": "Media usage", + "id": "control-1260", + "title": "Database management system software", "parts": [ { - "id": "control-0341-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-0342", - "title": "Media usage", + "id": "control-1262", + "title": "Database management system software", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0343", - "title": "Media usage", + "id": "control-1261", + "title": "Database management system software", "parts": [ { - "id": "control-0343-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0345", - "title": "Media usage", + "id": "control-1263", + "title": "Database management system software", "parts": [ { - "id": "control-0345-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-0831", - "title": "Media usage", + "id": "control-1264", + "title": "Database management system software", "parts": [ { - "id": "control-0831-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." - } - ] - }, - { - "id": "control-1059", - "title": "Media usage", - "parts": [ - { - "id": "control-1059-stmt", - "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." - } - ] - }, - { - "id": "control-0347", - "title": "Media usage", - "parts": [ - { - "id": "control-0347-stmt", - "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "media_disposal", - "title": "Media disposal", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0374", - "title": "Media disposal", + "id": "control-0247", + "title": "Emanation security", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0375", - "title": "Media disposal", + "id": "control-0248", + "title": "Emanation security", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0378", - "title": "Media disposal", + "id": "control-1137", + "title": "Emanation security", "parts": [ { - "id": "control-0378-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation", + "id": "control-0932", + "title": "Emanation security", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0351", - "title": "Media sanitisation", + "id": "control-0249", + "title": "Emanation security", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0352", - "title": "Media sanitisation", + "id": "control-0246", + "title": "Emanation security", "parts": [ { - "id": "control-0352-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0835", - "title": "Media sanitisation", + "id": "control-0250", + "title": "Emanation security", "parts": [ { - "id": "control-0835-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-1065", - "title": "Media sanitisation", + "id": "control-0213", + "title": "Cable patching", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0354", - "title": "Media sanitisation", + "id": "control-1093", + "title": "Cable patching", "parts": [ { - "id": "control-0354-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1067", - "title": "Media sanitisation", + "id": "control-0214", + "title": "Cable patching", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-0356", - "title": "Media sanitisation", + "id": "control-1094", + "title": "Cable patching", "parts": [ { - "id": "control-0356-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-0357", - "title": "Media sanitisation", + "id": "control-0216", + "title": "Cable patching", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-0836", - "title": "Media sanitisation", + "id": "control-0217", + "title": "Cable patching", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n§ a physical barrier in the cabinet is provided to separate patch panels\n§ only personnel holding a Positive Vetting security clearance have access to the cabinet\n§ approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0358", - "title": "Media sanitisation", + "id": "control-0218", + "title": "Cable patching", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + }, + { + "id": "cable_management", + "title": "Cable management", + "controls": [ { - "id": "control-0359", - "title": "Media sanitisation", + "id": "control-0181", + "title": "Cable management", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA)." } ] }, { - "id": "control-0360", - "title": "Media sanitisation", + "id": "control-0926", + "title": "Cable management", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0947", - "title": "Media sanitisation", + "id": "control-0825", + "title": "Cable management", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "All media is sanitised prior to reuse." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] }, { - "id": "control-1464", - "title": "Media sanitisation", + "id": "control-0826", + "title": "Cable management", "parts": [ { - "id": "control-1464-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_using_cryptography", - "title": "Guidelines for Using Cryptography", - "groups": [ - { - "id": "transport_layer_security", - "title": "Transport Layer Security", - "controls": [ + }, { - "id": "control-1139", - "title": "Transport Layer Security", + "id": "control-1215", + "title": "Cable management", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1369", - "title": "Transport Layer Security", + "id": "control-1216", + "title": "Cable management", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1370", - "title": "Transport Layer Security", + "id": "control-1112", + "title": "Cable management", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1372", - "title": "Transport Layer Security", + "id": "control-1118", + "title": "Cable management", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1448", - "title": "Transport Layer Security", + "id": "control-1119", + "title": "Cable management", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1373", - "title": "Transport Layer Security", + "id": "control-1126", + "title": "Cable management", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1374", - "title": "Transport Layer Security", + "id": "control-0184", + "title": "Cable management", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1375", - "title": "Transport Layer Security", + "id": "control-0187", + "title": "Cable management", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1553", - "title": "Transport Layer Security", + "id": "control-1111", + "title": "Cable management", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1453", - "title": "Transport Layer Security", + "id": "control-0189", + "title": "Cable management", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0190", + "title": "Cable management", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-0994", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1114", + "title": "Cable management", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-0472", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1130", + "title": "Cable management", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-0473", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1164", + "title": "Cable management", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-1446", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0195", + "title": "Cable management", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-0474", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0194", + "title": "Cable management", "parts": [ { - "id": "control-0474-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-0475", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1102", + "title": "Cable management", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-0476", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1101", + "title": "Cable management", "parts": [ { - "id": "control-0476-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-0477", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1103", + "title": "Cable management", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1054", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1098", + "title": "Cable management", "parts": [ { - "id": "control-1054-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-0479", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1100", + "title": "Cable management", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-0480", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1116", + "title": "Cable management", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1232", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1115", + "title": "Cable management", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1468", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1133", + "title": "Cable management", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Cryptographic system management", + "id": "control-1122", + "title": "Cable management", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-0142", - "title": "Cryptographic system management", + "id": "control-1134", + "title": "Cable management", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1091", - "title": "Cryptographic system management", + "id": "control-1104", + "title": "Cable management", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-0499", - "title": "Cryptographic system management", + "id": "control-1105", + "title": "Cable management", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-0505", - "title": "Cryptographic system management", + "id": "control-1106", + "title": "Cable management", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-0506", - "title": "Cryptographic system management", + "id": "control-1107", + "title": "Cable management", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Secure Shell", + "id": "control-1109", + "title": "Cable management", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-0484", - "title": "Secure Shell", + "id": "control-0198", + "title": "Cable management", "parts": [ { - "id": "control-0484-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-0485", - "title": "Secure Shell", + "id": "control-1123", + "title": "Cable management", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1449", - "title": "Secure Shell", + "id": "control-1135", + "title": "Cable management", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." - } - ] - }, - { - "id": "control-0487", - "title": "Secure Shell", - "parts": [ - { - "id": "control-0487-stmt", - "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n§ access from IP addresses that do not require access\n§ port forwarding\n§ agent credential forwarding\n§ X11 display remoting\n§ console access." - } - ] - }, - { - "id": "control-0488", - "title": "Secure Shell", - "parts": [ - { - "id": "control-0488-stmt", - "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." - } - ] - }, - { - "id": "control-0489", - "title": "Secure Shell", - "parts": [ - { - "id": "control-0489-stmt", - "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." - } - ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ - { - "id": "control-0481", - "title": "ASD Approved Cryptographic Protocols", - "parts": [ - { - "id": "control-0481-stmt", - "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." - } - ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ - { - "id": "control-0490", - "title": "Secure/Multipurpose Internet Mail Extension", - "parts": [ - { - "id": "control-0490-stmt", - "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-1161", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-1161-stmt", - "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." - } - ] - }, - { - "id": "control-0457", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-0457-stmt", - "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." - } - ] - }, - { - "id": "control-0460", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-0460-stmt", - "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." - } - ] - }, - { - "id": "control-0459", - "title": "Cryptographic fundamentals", + "id": "control-0201", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0459-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0461", - "title": "Cryptographic fundamentals", + "id": "control-0202", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0461-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1080", - "title": "Cryptographic fundamentals", + "id": "control-0203", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-0455", - "title": "Cryptographic fundamentals", + "id": "control-0204", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0455-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-0462", - "title": "Cryptographic fundamentals", + "id": "control-1095", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1162", - "title": "Cryptographic fundamentals", + "id": "control-1096", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0465", - "title": "Cryptographic fundamentals", + "id": "control-0206", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0465-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-0467", - "title": "Cryptographic fundamentals", + "id": "control-0208", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0467-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "A cable register is maintained with the following information:\n§ cable identifier\n§ classification\n§ source\n§ destination\n§ site/floor plan diagram\n§ seal numbers (if applicable)." } ] }, { - "id": "control-0469", - "title": "Cryptographic fundamentals", + "id": "control-0211", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0469-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", "controls": [ { - "id": "control-0494", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-0494-stmt", - "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." - } - ] - }, - { - "id": "control-0496", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-0496-stmt", - "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." - } - ] - }, - { - "id": "control-1233", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-1233-stmt", - "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." - } - ] - }, - { - "id": "control-0497", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-0497-stmt", - "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." - } - ] - }, - { - "id": "control-0498", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-0498-stmt", - "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." - } - ] - }, - { - "id": "control-0998", - "title": "Internet Protocol Security", + "id": "control-0100", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0998-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "Commercial and government gateway and cloud services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." } ] }, { - "id": "control-0999", - "title": "Internet Protocol Security", + "id": "control-1395", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "If using outsourced cloud services, only those listed on the ACSC’s Certified Cloud Services List are used." } ] }, { - "id": "control-1000", - "title": "Internet Protocol Security", + "id": "control-1529", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." } ] }, { - "id": "control-1001", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-1001-stmt", - "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product acquisition", + "id": "control-1396", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0280-stmt", + "id": "control-1396-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "If using an outsourced cloud service not listed on the ACSC’s Certified Cloud Services List, or for highly classified information, the ACSC is notified in writing at the earliest opportunity, and certainly before entering into or renewing a contract." } ] }, { - "id": "control-0285", - "title": "Evaluated product acquisition", + "id": "control-0873", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0873-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "If using an outsourced information technology service, or cloud service not listed on the ACSC’s Certified Cloud Services List, a service provider whose systems are located in Australia is used." } ] }, { - "id": "control-0286", - "title": "Evaluated product acquisition", + "id": "control-0072", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." } ] - } - ] - }, - { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", - "controls": [ + }, { - "id": "control-0289", - "title": "Evaluated product usage", + "id": "control-1073", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0289-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0290", - "title": "Evaluated product usage", + "id": "control-1451", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0290-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." } ] }, { - "id": "control-0292", - "title": "Evaluated product usage", + "id": "control-1452", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-0292-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] } @@ -2118,3363 +2068,3388 @@ ] }, { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", + "id": "guidelines_for_ict_equipment_management", + "title": "Guidelines for ICT Equipment Management", "groups": [ { - "id": "web_application_development", - "title": "Web application development", + "id": "ict_equipment_usage", + "title": "ICT equipment usage", "controls": [ { - "id": "control-1239", - "title": "Web application development", - "parts": [ - { - "id": "control-1239-stmt", - "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." - } - ] - }, - { - "id": "control-1552", - "title": "Web application development", - "parts": [ - { - "id": "control-1552-stmt", - "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." - } - ] - }, - { - "id": "control-1240", - "title": "Web application development", + "id": "control-1551", + "title": "ICT equipment usage", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1241", - "title": "Web application development", + "id": "control-0293", + "title": "ICT equipment usage", "parts": [ { - "id": "control-1241-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1424", - "title": "Web application development", + "id": "control-0294", + "title": "ICT equipment usage", "parts": [ { - "id": "control-1424-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0971", - "title": "Web application development", + "id": "control-0296", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0971-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] } ] }, { - "id": "application_development", - "title": "Application development", + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", "controls": [ { - "id": "control-0400", - "title": "Application development", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "Software development, testing and production environments are segregated." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1419", - "title": "Application development", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1420", - "title": "Application development", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1420-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1422", - "title": "Application development", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1238", - "title": "Application development", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1238-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0401", - "title": "Application development", + "id": "control-0315", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0401-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-0402", - "title": "Application development", - "parts": [ - { - "id": "control-0402-stmt", - "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ - { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1218", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0546", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0312", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0546-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0547", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0317", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0547-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0548", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1219", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0554", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1220", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0553", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1221", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0555", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0318", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0551", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1534", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n§ IP phones authenticate themselves to the call controller upon registration\n§ auto-registration is disabled and only a whitelist of authorised devices is allowed to access the network\n§ unauthorised devices are blocked by default\n§ all unused and prohibited functionality is disabled." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, - { - "id": "control-1014", - "title": "Video conferencing and Internet Protocol telephony", + { + "id": "control-1076", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0549", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1222", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-0556", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1223", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n§ following device-specific guidance provided by the ACSC\n§ following vendor sanitisation guidance\n§ loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1015", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1225", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0558", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1226", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0559", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1079", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-1450", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0305", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-1019", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0307", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n§ how to identify signs of a denial of service\n§ how to identify the source of a denial of service\n§ how capabilities can be maintained during a denial of service\n§ what actions can be taken to clear a denial of service." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems", + "id": "control-0306", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n§ is appropriately cleared and briefed\n§ takes due care to ensure that information is not disclosed\n§ takes all responsible measures to ensure the integrity of the ICT equipment\n§ has the authority to direct the technician\n§ is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0229", - "title": "Telephone systems", + "id": "control-0310", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0229-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0230", - "title": "Telephone systems", + "id": "control-0944", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0230-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media_management", + "title": "Guidelines for Media Management", + "groups": [ + { + "id": "media_sanitisation", + "title": "Media sanitisation", + "controls": [ { - "id": "control-0231", - "title": "Telephone systems", + "id": "control-0348", + "title": "Media sanitisation", "parts": [ { - "id": "control-0231-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0232", - "title": "Telephone systems", + "id": "control-0351", + "title": "Media sanitisation", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0233", - "title": "Telephone systems", + "id": "control-0352", + "title": "Media sanitisation", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0235", - "title": "Telephone systems", + "id": "control-0835", + "title": "Media sanitisation", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0236", - "title": "Telephone systems", + "id": "control-1065", + "title": "Media sanitisation", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-0931", - "title": "Telephone systems", + "id": "control-0354", + "title": "Media sanitisation", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0237", - "title": "Telephone systems", + "id": "control-1067", + "title": "Media sanitisation", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machines and multifunction devices", + "id": "control-0356", + "title": "Media sanitisation", "parts": [ { - "id": "control-0588-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1092", - "title": "Fax machines and multifunction devices", + "id": "control-0357", + "title": "Media sanitisation", "parts": [ { - "id": "control-1092-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0241", - "title": "Fax machines and multifunction devices", + "id": "control-0836", + "title": "Media sanitisation", "parts": [ { - "id": "control-0241-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1075", - "title": "Fax machines and multifunction devices", + "id": "control-0358", + "title": "Media sanitisation", "parts": [ { - "id": "control-1075-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0590", - "title": "Fax machines and multifunction devices", + "id": "control-0359", + "title": "Media sanitisation", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0245", - "title": "Fax machines and multifunction devices", + "id": "control-0360", + "title": "Media sanitisation", "parts": [ { - "id": "control-0245-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-0589", - "title": "Fax machines and multifunction devices", + "id": "control-0947", + "title": "Media sanitisation", "parts": [ { - "id": "control-0589-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "All media is sanitised prior to reuse." } ] }, { - "id": "control-1036", - "title": "Fax machines and multifunction devices", + "id": "control-1464", + "title": "Media sanitisation", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed." } ] } ] - } - ] - }, - { - "id": "guidelines_for_gateway_management", - "title": "Guidelines for Gateway Management", - "groups": [ + }, { - "id": "firewalls", - "title": "Firewalls", + "id": "media_disposal", + "title": "Media disposal", "controls": [ { - "id": "control-1528", - "title": "Firewalls", + "id": "control-0374", + "title": "Media disposal", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-0639", - "title": "Firewalls", + "id": "control-0375", + "title": "Media disposal", "parts": [ { - "id": "control-0639-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1194", - "title": "Firewalls", + "id": "control-0378", + "title": "Media disposal", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-0641", - "title": "Firewalls", + "id": "control-1549", + "title": "Media usage", "parts": [ { - "id": "control-0641-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-0642", - "title": "Firewalls", + "id": "control-1359", + "title": "Media usage", "parts": [ { - "id": "control-0642-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "A removable media usage policy is developed and implemented." } ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ + }, { - "id": "control-0628", - "title": "Gateways", + "id": "control-0323", + "title": "Media usage", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1192", - "title": "Gateways", + "id": "control-0325", + "title": "Media usage", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-0631", - "title": "Gateways", + "id": "control-0331", + "title": "Media usage", "parts": [ { - "id": "control-0631-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Gateways:\n§ are the only communications paths into and out of internal networks\n§ allow only explicitly authorised connections\n§ are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n§ are protected by authentication, logging and auditing of all physical and logical access to gateway components\n§ have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1427", - "title": "Gateways", + "id": "control-0330", + "title": "Media usage", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0634", - "title": "Gateways", + "id": "control-0332", + "title": "Media usage", "parts": [ { - "id": "control-0634-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n§ log network traffic permitted through the gateway\n§ log network traffic attempting to leave the gateway\n§ are configured to save event logs to a secure logging facility\n§ provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0637", - "title": "Gateways", + "id": "control-0337", + "title": "Media usage", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1037", - "title": "Gateways", + "id": "control-0341", + "title": "Media usage", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0611", - "title": "Gateways", + "id": "control-0342", + "title": "Media usage", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-0612", - "title": "Gateways", + "id": "control-0343", + "title": "Media usage", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1520", - "title": "Gateways", + "id": "control-0345", + "title": "Media usage", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-0613", - "title": "Gateways", + "id": "control-0831", + "title": "Media usage", "parts": [ { - "id": "control-0613-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-0616", - "title": "Gateways", + "id": "control-1059", + "title": "Media usage", "parts": [ { - "id": "control-0616-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0629", - "title": "Gateways", + "id": "control-0347", + "title": "Media usage", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + } + ] + } + ] + }, + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ + { + "id": "control-0363", + "title": "Media destruction", + "parts": [ + { + "id": "control-0363-stmt", + "name": "statement", + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-0607", - "title": "Gateways", + "id": "control-0350", + "title": "Media destruction", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n§ microfiche and microfilm\n§ optical discs\n§ programmable read-only memory\n§ read-only memory\n§ other types of media that cannot be sanitised\n§ faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-0619", - "title": "Gateways", + "id": "control-1361", + "title": "Media destruction", "parts": [ { - "id": "control-0619-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-0620", - "title": "Gateways", + "id": "control-1160", + "title": "Media destruction", "parts": [ { - "id": "control-0620-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." } ] }, { - "id": "control-1039", - "title": "Gateways", + "id": "control-1517", + "title": "Media destruction", "parts": [ { - "id": "control-1039-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0622", - "title": "Gateways", + "id": "control-0366", + "title": "Media destruction", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] - } - ] - }, - { - "id": "diodes", - "title": "Diodes", - "controls": [ + }, { - "id": "control-0643", - "title": "Diodes", + "id": "control-0368", + "title": "Media destruction", "parts": [ { - "id": "control-0643-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0645", - "title": "Diodes", + "id": "control-0361", + "title": "Media destruction", "parts": [ { - "id": "control-0645-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1157", - "title": "Diodes", + "id": "control-0838", + "title": "Media destruction", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1158", - "title": "Diodes", + "id": "control-0362", + "title": "Media destruction", "parts": [ { - "id": "control-1158-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-0646", - "title": "Diodes", + "id": "control-0370", + "title": "Media destruction", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0647", - "title": "Diodes", + "id": "control-0371", + "title": "Media destruction", "parts": [ { - "id": "control-0647-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-0648", - "title": "Diodes", + "id": "control-0372", + "title": "Media destruction", "parts": [ { - "id": "control-0648-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ + }, { - "id": "control-0626", - "title": "Cross Domain Solutions", + "id": "control-0373", + "title": "Media destruction", "parts": [ { - "id": "control-0626-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-0597", - "title": "Cross Domain Solutions", + "id": "control-0840", + "title": "Media destruction", "parts": [ { - "id": "control-0597-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-0627", - "title": "Cross Domain Solutions", + "id": "control-0839", + "title": "Media destruction", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ { - "id": "control-0635", - "title": "Cross Domain Solutions", + "id": "control-0810", + "title": "Facilities and systems", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1521", - "title": "Cross Domain Solutions", + "id": "control-1053", + "title": "Facilities and systems", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-1522", - "title": "Cross Domain Solutions", + "id": "control-1530", + "title": "Facilities and systems", "parts": [ { - "id": "control-1522-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0670", - "title": "Cross Domain Solutions", + "id": "control-0813", + "title": "Facilities and systems", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-1523", - "title": "Cross Domain Solutions", + "id": "control-1074", + "title": "Facilities and systems", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0610", - "title": "Cross Domain Solutions", + "id": "control-0157", + "title": "Facilities and systems", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] - } - ] - }, - { - "id": "web_content_and_connections", - "title": "Web content and connections", - "controls": [ + }, { - "id": "control-0258", - "title": "Web content and connections", + "id": "control-1296", + "title": "Facilities and systems", "parts": [ { - "id": "control-0258-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0260", - "title": "Web content and connections", + "id": "control-0164", + "title": "Facilities and systems", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0261", - "title": "Web content and connections", + "id": "control-1543", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0261-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n§ address (uniform resource locator)\n§ time/date\n§ user\n§ amount of data uploaded and downloaded\n§ internal and external IP addresses." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0263", - "title": "Web content and connections", + "id": "control-0225", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0263-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "If permitting TLS through internet gateways, either of the following approaches is implemented:\n§ a solution that decrypts and inspects TLS traffic as per content filtering security controls\n§ a whitelist specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked or decrypted and inspected as per content filtering security controls." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0996", - "title": "Web content and connections", + "id": "control-0829", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0996-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0958", - "title": "Web content and connections", + "id": "control-1058", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Whitelisting is implemented for all Hypertext Transfer Protocol (HTTP) traffic communicated through internet gateways." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0995", - "title": "Web content and connections", + "id": "control-0222", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0995-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "If using a whitelist on internet gateways to specify the external addresses to which connections are permitted, it specifies whitelisted addresses by domain name or IP address." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-1170", - "title": "Web content and connections", + "id": "control-0223", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-1170-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "If websites are not whitelisted, categories are implemented for all websites and prohibited and uncategorised websites are blocked." + "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-0959", - "title": "Web content and connections", + "id": "control-0224", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0959-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "If whitelisting of websites is not implemented, blacklisting of websites is implemented to prevent access to known malicious websites." + "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0960", - "title": "Web content and connections", + "id": "control-0221", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "If blacklisting websites, the blacklist is updated on a daily basis to ensure that it remains effective." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] - }, + } + ] + }, + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ { - "id": "control-1171", - "title": "Web content and connections", + "id": "control-0336", + "title": "ICT equipment and media", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-1236", - "title": "Web content and connections", + "id": "control-0159", + "title": "ICT equipment and media", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0963", - "title": "Web content and connections", + "id": "control-0161", + "title": "ICT equipment and media", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "ICT equipment and media are secured when not in use." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-0961", - "title": "Web content and connections", + "id": "control-0432", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0961-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a whitelist of approved websites which may be the same as the HTTP whitelist or a separate active content whitelist." + "prose": "Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." } ] }, { - "id": "control-1237", - "title": "Web content and connections", + "id": "control-0434", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1237-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Peripheral switches", + "id": "control-0435", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1480", - "title": "Peripheral switches", + "id": "control-0414", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1457", - "title": "Peripheral switches", + "id": "control-0415", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1457-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-0593", - "title": "Peripheral switches", + "id": "control-0975", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0594", - "title": "Peripheral switches", + "id": "control-0420", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0594-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_network_management", - "title": "Guidelines for Network Management", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1458", - "title": "Service continuity for online services", + "id": "control-1538", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1431", - "title": "Service continuity for online services", + "id": "control-0405", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n§ their capacity to withstand denial-of-service attacks\n§ any costs likely to be incurred by customers resulting from denial-of-service attacks\n§ thresholds for notifying customers or turning off their online services during denial-of-service attacks\n§ pre-approved actions that can be undertaken during denial-of-service attacks\n§ denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1432", - "title": "Service continuity for online services", + "id": "control-1503", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1433", - "title": "Service continuity for online services", + "id": "control-0409", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1434", - "title": "Service continuity for online services", + "id": "control-0411", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1435", - "title": "Service continuity for online services", + "id": "control-0816", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] }, { - "id": "control-1436", - "title": "Service continuity for online services", + "id": "control-1507", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1518", - "title": "Service continuity for online services", + "id": "control-1508", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1437", - "title": "Service continuity for online services", + "id": "control-0445", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1438", - "title": "Service continuity for online services", + "id": "control-1509", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1439", - "title": "Service continuity for online services", + "id": "control-1175", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1439-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via online services." } ] }, { - "id": "control-1441", - "title": "Service continuity for online services", + "id": "control-0448", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1441-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Wireless networks", + "id": "control-0446", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-0536", - "title": "Wireless networks", + "id": "control-0447", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-1315", - "title": "Wireless networks", + "id": "control-1545", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1315-stmt", + "id": "control-1545-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." } ] }, { - "id": "control-1316", - "title": "Wireless networks", + "id": "control-0430", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1316-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1317", - "title": "Wireless networks", + "id": "control-1404", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1318", - "title": "Wireless networks", + "id": "control-0407", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1318-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "A secure record is maintained for the life of each system covering:\n§ all personnel authorised to access the system, and their user identification\n§ who provided authorisation for access\n§ when access was granted\n§ the level of access that was granted\n§ when access, and the level of access, was last reviewed\n§ when the level of access was changed, and to what extent (if applicable)\n§ when access was withdrawn (if applicable)." } ] }, { - "id": "control-1319", - "title": "Wireless networks", + "id": "control-0441", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1319-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1320", - "title": "Wireless networks", + "id": "control-0443", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1320-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1321", - "title": "Wireless networks", + "id": "control-0078", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1321-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1322", - "title": "Wireless networks", + "id": "control-0854", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1322-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + }, + { + "id": "cyber_security_awareness_raising_and_training", + "title": "Cyber security awareness raising and training", + "controls": [ { - "id": "control-1324", - "title": "Wireless networks", + "id": "control-0252", + "title": "Cyber security awareness raising and training", "parts": [ { - "id": "control-1324-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Ongoing cyber security awareness raising and training is provided to personnel and includes:\n§ the purpose of the cyber security awareness raising and training program\n§ security appointments and contacts within the organisation\n§ the authorised use of systems and their resources\n§ the protection of systems and their resources\n§ reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1323", - "title": "Wireless networks", + "id": "control-0817", + "title": "Cyber security awareness raising and training", "parts": [ { - "id": "control-1323-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "Personnel are advised what suspicious contact is and how to report it, especially when using online services." } ] }, { - "id": "control-1325", - "title": "Wireless networks", + "id": "control-0820", + "title": "Cyber security awareness raising and training", "parts": [ { - "id": "control-1325-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "Personnel are advised to not post work information to non-approved online services and to report cases where such information is posted." } ] }, { - "id": "control-1326", - "title": "Wireless networks", + "id": "control-1146", + "title": "Cyber security awareness raising and training", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1327", - "title": "Wireless networks", + "id": "control-0821", + "title": "Cyber security awareness raising and training", "parts": [ { - "id": "control-1327-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1330", - "title": "Wireless networks", + "id": "control-0824", + "title": "Cyber security awareness raising and training", "parts": [ { - "id": "control-1330-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateway_management", + "title": "Guidelines for Gateway Management", + "groups": [ + { + "id": "web_content_and_connections", + "title": "Web content and connections", + "controls": [ { - "id": "control-1454", - "title": "Wireless networks", + "id": "control-0258", + "title": "Web content and connections", "parts": [ { - "id": "control-1454-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1332", - "title": "Wireless networks", + "id": "control-0260", + "title": "Web content and connections", "parts": [ { - "id": "control-1332-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1334", - "title": "Wireless networks", + "id": "control-0261", + "title": "Web content and connections", "parts": [ { - "id": "control-1334-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n§ address (uniform resource locator)\n§ time/date\n§ user\n§ amount of data uploaded and downloaded\n§ internal and external IP addresses." } ] }, { - "id": "control-1335", - "title": "Wireless networks", + "id": "control-0263", + "title": "Web content and connections", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "If permitting TLS through internet gateways, either of the following approaches is implemented:\n§ a solution that decrypts and inspects TLS traffic as per content filtering security controls\n§ a whitelist specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked or decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1338", - "title": "Wireless networks", + "id": "control-0996", + "title": "Web content and connections", "parts": [ { - "id": "control-1338-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-1013", - "title": "Wireless networks", + "id": "control-0958", + "title": "Web content and connections", "parts": [ { - "id": "control-1013-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "Whitelisting is implemented for all Hypertext Transfer Protocol (HTTP) traffic communicated through internet gateways." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network design and configuration", + "id": "control-0995", + "title": "Web content and connections", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0995-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "If using a whitelist on internet gateways to specify the external addresses to which connections are permitted, it specifies whitelisted addresses by domain name or IP address." } ] }, { - "id": "control-0518", - "title": "Network design and configuration", + "id": "control-1170", + "title": "Web content and connections", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "If websites are not whitelisted, categories are implemented for all websites and prohibited and uncategorised websites are blocked." } ] }, { - "id": "control-1178", - "title": "Network design and configuration", + "id": "control-0959", + "title": "Web content and connections", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "If whitelisting of websites is not implemented, blacklisting of websites is implemented to prevent access to known malicious websites." } ] }, { - "id": "control-1181", - "title": "Network design and configuration", + "id": "control-0960", + "title": "Web content and connections", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "If blacklisting websites, the blacklist is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1532", - "title": "Network design and configuration", + "id": "control-1171", + "title": "Web content and connections", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0529", - "title": "Network design and configuration", + "id": "control-1236", + "title": "Web content and connections", "parts": [ { - "id": "control-0529-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] }, { - "id": "control-1364", - "title": "Network design and configuration", + "id": "control-0963", + "title": "Web content and connections", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0535", - "title": "Network design and configuration", + "id": "control-0961", + "title": "Web content and connections", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Client-side active content, such as Java, is restricted to a whitelist of approved websites which may be the same as the HTTP whitelist or a separate active content whitelist." } ] }, { - "id": "control-0530", - "title": "Network design and configuration", + "id": "control-1237", + "title": "Web content and connections", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] - }, + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ { - "id": "control-0521", - "title": "Network design and configuration", + "id": "control-0591", + "title": "Peripheral switches", "parts": [ { - "id": "control-0521-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1186", - "title": "Network design and configuration", + "id": "control-1480", + "title": "Peripheral switches", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1428", - "title": "Network design and configuration", + "id": "control-1457", + "title": "Peripheral switches", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1429", - "title": "Network design and configuration", + "id": "control-0593", + "title": "Peripheral switches", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally connected network boundaries." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1430", - "title": "Network design and configuration", + "id": "control-0594", + "title": "Peripheral switches", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-0520", - "title": "Network design and configuration", + "id": "control-0626", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1182", - "title": "Network design and configuration", + "id": "control-0597", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1182-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1301", - "title": "Network design and configuration", + "id": "control-0627", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1301-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1304", - "title": "Network design and configuration", + "id": "control-0635", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1304-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0534", - "title": "Network design and configuration", + "id": "control-1521", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0385", - "title": "Network design and configuration", + "id": "control-1522", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1479", - "title": "Network design and configuration", + "id": "control-0670", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-1460", - "title": "Network design and configuration", + "id": "control-1523", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1460-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n§ the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n§ the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n§ the underlying operating system running on the server is hardened\n§ patches are applied to the isolation mechanism and underlying operating system in a timely manner\n§ integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-1462", - "title": "Network design and configuration", + "id": "control-0610", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-1461", - "title": "Network design and configuration", + "id": "control-0643", + "title": "Diodes", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1006", - "title": "Network design and configuration", + "id": "control-0645", + "title": "Diodes", "parts": [ { - "id": "control-1006-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1311", - "title": "Network design and configuration", + "id": "control-1157", + "title": "Diodes", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-1312", - "title": "Network design and configuration", + "id": "control-1158", + "title": "Diodes", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1028", - "title": "Network design and configuration", + "id": "control-0646", + "title": "Diodes", "parts": [ { - "id": "control-1028-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-1030", - "title": "Network design and configuration", + "id": "control-0647", + "title": "Diodes", "parts": [ { - "id": "control-1030-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1185", - "title": "Network design and configuration", + "id": "control-0648", + "title": "Diodes", "parts": [ { - "id": "control-1185-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ + }, { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", + "id": "gateways", + "title": "Gateways", "controls": [ { - "id": "control-0041", - "title": "System-specific security documentation", + "id": "control-0628", + "title": "Gateways", "parts": [ { - "id": "control-0041-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0043", - "title": "System-specific security documentation", + "id": "control-1192", + "title": "Gateways", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Systems have an IRP that covers the following:\n§ guidelines on what constitutes a cyber security incident\n§ the types of incidents likely to be encountered and the expected response to each type\n§ how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n§ other parties which need to be informed in the event of a cyber security incident\n§ the authority, or authorities, responsible for investigating and responding to cyber security incidents\n§ the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n§ the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n§ system contingency measures or a reference to such details if they are located in a separate document." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Development and maintenance of security documentation", + "id": "control-0631", + "title": "Gateways", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Gateways:\n§ are the only communications paths into and out of internal networks\n§ allow only explicitly authorised connections\n§ are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n§ are protected by authentication, logging and auditing of all physical and logical access to gateway components\n§ have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0047", - "title": "Development and maintenance of security documentation", + "id": "control-1427", + "title": "Gateways", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-0888", - "title": "Development and maintenance of security documentation", + "id": "control-0634", + "title": "Gateways", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n§ log network traffic permitted through the gateway\n§ log network traffic attempting to leave the gateway\n§ are configured to save event logs to a secure logging facility\n§ provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_raising_and_training", - "title": "Cyber security awareness raising and training", - "controls": [ + }, { - "id": "control-0252", - "title": "Cyber security awareness raising and training", + "id": "control-0637", + "title": "Gateways", "parts": [ { - "id": "control-0252-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Ongoing cyber security awareness raising and training is provided to personnel and includes:\n§ the purpose of the cyber security awareness raising and training program\n§ security appointments and contacts within the organisation\n§ the authorised use of systems and their resources\n§ the protection of systems and their resources\n§ reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0817", - "title": "Cyber security awareness raising and training", + "id": "control-1037", + "title": "Gateways", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Personnel are advised what suspicious contact is and how to report it, especially when using online services." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0820", - "title": "Cyber security awareness raising and training", + "id": "control-0611", + "title": "Gateways", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to non-approved online services and to report cases where such information is posted." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-1146", - "title": "Cyber security awareness raising and training", + "id": "control-0612", + "title": "Gateways", + "parts": [ + { + "id": "control-0612-stmt", + "name": "statement", + "prose": "System administrators are formally trained to manage gateways." + } + ] + }, + { + "id": "control-1520", + "title": "Gateways", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0821", - "title": "Cyber security awareness raising and training", + "id": "control-0613", + "title": "Gateways", "parts": [ { - "id": "control-0821-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-0824", - "title": "Cyber security awareness raising and training", + "id": "control-0616", + "title": "Gateways", "parts": [ { - "id": "control-0824-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Roles for the administration of gateways are separated." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "Access to systems and their resources", + "id": "control-0629", + "title": "Gateways", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0434", - "title": "Access to systems and their resources", + "id": "control-0607", + "title": "Gateways", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0435", - "title": "Access to systems and their resources", + "id": "control-0619", + "title": "Gateways", "parts": [ { - "id": "control-0435-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0414", - "title": "Access to systems and their resources", + "id": "control-0620", + "title": "Gateways", "parts": [ { - "id": "control-0414-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0415", - "title": "Access to systems and their resources", + "id": "control-1039", + "title": "Gateways", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0975", - "title": "Access to systems and their resources", + "id": "control-0622", + "title": "Gateways", "parts": [ { - "id": "control-0975-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + }, + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-0420", - "title": "Access to systems and their resources", + "id": "control-1528", + "title": "Firewalls", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1538", - "title": "Access to systems and their resources", + "id": "control-0639", + "title": "Firewalls", "parts": [ { - "id": "control-1538-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-0405", - "title": "Access to systems and their resources", + "id": "control-1194", + "title": "Firewalls", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1503", - "title": "Access to systems and their resources", + "id": "control-0641", + "title": "Firewalls", "parts": [ { - "id": "control-1503-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0409", - "title": "Access to systems and their resources", + "id": "control-0642", + "title": "Firewalls", "parts": [ { - "id": "control-0409-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_using_cryptography", + "title": "Guidelines for Using Cryptography", + "groups": [ + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0411", - "title": "Access to systems and their resources", + "id": "control-1139", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0816", - "title": "Access to systems and their resources", + "id": "control-1369", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0816-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-1507", - "title": "Access to systems and their resources", + "id": "control-1370", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-1508", - "title": "Access to systems and their resources", + "id": "control-1372", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0445", - "title": "Access to systems and their resources", + "id": "control-1448", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1509", - "title": "Access to systems and their resources", + "id": "control-1373", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1175", - "title": "Access to systems and their resources", + "id": "control-1374", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via online services." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0448", - "title": "Access to systems and their resources", + "id": "control-1375", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0446", - "title": "Access to systems and their resources", + "id": "control-1553", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-0447", - "title": "Access to systems and their resources", + "id": "control-1453", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-1545", - "title": "Access to systems and their resources", + "id": "control-1161", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1545-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-0430", - "title": "Access to systems and their resources", + "id": "control-0457", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-1404", - "title": "Access to systems and their resources", + "id": "control-0460", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, - { - "id": "control-0407", - "title": "Access to systems and their resources", + { + "id": "control-0459", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n§ all personnel authorised to access the system, and their user identification\n§ who provided authorisation for access\n§ when access was granted\n§ the level of access that was granted\n§ when access, and the level of access, was last reviewed\n§ when the level of access was changed, and to what extent (if applicable)\n§ when access was withdrawn (if applicable)." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0441", - "title": "Access to systems and their resources", + "id": "control-0461", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0443", - "title": "Access to systems and their resources", + "id": "control-1080", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-0078", - "title": "Access to systems and their resources", + "id": "control-0455", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0854", - "title": "Access to systems and their resources", + "id": "control-0462", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authentication hardening", + "id": "control-1162", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0974", - "title": "Authentication hardening", + "id": "control-0465", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1173", - "title": "Authentication hardening", + "id": "control-0467", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1504", - "title": "Authentication hardening", + "id": "control-0469", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ { - "id": "control-1505", - "title": "Authentication hardening", + "id": "control-0471", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." } ] }, { - "id": "control-1401", - "title": "Authentication hardening", + "id": "control-0994", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1559", - "title": "Authentication hardening", + "id": "control-0472", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1560", - "title": "Authentication hardening", + "id": "control-0473", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1561", - "title": "Authentication hardening", + "id": "control-1446", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1357", - "title": "Authentication hardening", + "id": "control-0474", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0417", - "title": "Authentication hardening", + "id": "control-0475", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0421", - "title": "Authentication hardening", + "id": "control-0476", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1557", - "title": "Authentication hardening", + "id": "control-0477", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0422", - "title": "Authentication hardening", + "id": "control-1054", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-1558", - "title": "Authentication hardening", + "id": "control-0479", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n§ are not constructed from song lyrics, movies, literature or any other publically available material\n§ do not form a real sentence in a natural language\n§ are not a list of categorised words." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1403", - "title": "Authentication hardening", + "id": "control-0480", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-0431", - "title": "Authentication hardening", + "id": "control-1232", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0976", - "title": "Authentication hardening", + "id": "control-1468", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0976-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-1227", - "title": "Authentication hardening", + "id": "control-1506", + "title": "Secure Shell", "parts": [ { - "id": "control-1227-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1055", - "title": "Authentication hardening", + "id": "control-0484", + "title": "Secure Shell", "parts": [ { - "id": "control-1055-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-0418", - "title": "Authentication hardening", + "id": "control-0485", + "title": "Secure Shell", "parts": [ { - "id": "control-0418-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1402", - "title": "Authentication hardening", + "id": "control-1449", + "title": "Secure Shell", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Credentials are protected by ensuring:\n§ passwords/passphrases expire every 12 months\n§ passwords/passphrases are stored as salted hashes\n§ password/passphrase stretching is implemented\n§ passwords/passphrases appearing in breach databases are blacklisted\n§ passwords/passphrases are never sent in the clear across networks." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0428", - "title": "Authentication hardening", + "id": "control-0487", + "title": "Secure Shell", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n§ activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n§ completely conceals all information on the screen\n§ ensures that the screen does not enter a power saving state before the screen or session lock is activated\n§ requires the user to reauthenticate to unlock the system\n§ denies users the ability to disable the session or screen locking mechanism." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n§ access from IP addresses that do not require access\n§ port forwarding\n§ agent credential forwarding\n§ X11 display remoting\n§ console access." } ] }, - { - "id": "control-0408", - "title": "Authentication hardening", + { + "id": "control-0488", + "title": "Secure Shell", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-0979", - "title": "Authentication hardening", + "id": "control-0489", + "title": "Secure Shell", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] }, { - "id": "operating_system_hardening", - "title": "Operating system hardening", + "id": "cryptographic_system_management", + "title": "Cryptographic system management", "controls": [ { - "id": "control-1407", - "title": "Operating system hardening", + "id": "control-0501", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1408", - "title": "Operating system hardening", + "id": "control-0142", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1409", - "title": "Operating system hardening", + "id": "control-1091", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1409-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-0383", - "title": "Operating system hardening", + "id": "control-0499", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0380", - "title": "Operating system hardening", + "id": "control-0505", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1491", - "title": "Operating system hardening", + "id": "control-0506", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1410", - "title": "Operating system hardening", + "id": "control-0494", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1469", - "title": "Operating system hardening", + "id": "control-0496", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-0382", - "title": "Operating system hardening", + "id": "control-1233", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Users do not have the ability to install, uninstall or disable software." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0843", - "title": "Operating system hardening", + "id": "control-0497", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-0843-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1490", - "title": "Operating system hardening", + "id": "control-0498", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-0955", - "title": "Operating system hardening", + "id": "control-0998", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Application whitelisting is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1471", - "title": "Operating system hardening", + "id": "control-0999", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "When implementing application whitelisting using publisher certificate rules, both publisher names and product names are used." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1392", - "title": "Operating system hardening", + "id": "control-1000", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "When implementing application whitelisting using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1544", - "title": "Operating system hardening", + "id": "control-1001", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-0846", - "title": "Operating system hardening", + "id": "control-0490", + "title": "Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application whitelisting mechanisms." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-0957", - "title": "Operating system hardening", + "id": "control-0481", + "title": "ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Application whitelisting solutions are configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ + { + "id": "control-1510", + "title": "Data backup and restoration", + "parts": [ + { + "id": "control-1510-stmt", + "name": "statement", + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1414", - "title": "Operating system hardening", + "id": "control-1547", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-1492", - "title": "Operating system hardening", + "id": "control-1548", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1492-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-1341", - "title": "Operating system hardening", + "id": "control-1511", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1341-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1034", - "title": "Operating system hardening", + "id": "control-1512", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1034-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-1416", - "title": "Operating system hardening", + "id": "control-1513", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1416-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-1417", - "title": "Operating system hardening", + "id": "control-1514", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1417-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n§ signature-based detection enabled and set to a high level\n§ heuristic-based detection enabled and set to a high level\n§ detection signatures checked for currency and updated on at least a daily basis\n§ automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1390", - "title": "Operating system hardening", + "id": "control-1515", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1390-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1418", - "title": "Operating system hardening", + "id": "control-1516", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1418-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "system_administration", + "title": "System administration", "controls": [ { - "id": "control-0938", - "title": "Application hardening", + "id": "control-0042", + "title": "System administration", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1467", - "title": "Application hardening", + "id": "control-1380", + "title": "System administration", "parts": [ { - "id": "control-1467-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-1483", - "title": "Application hardening", + "id": "control-1382", + "title": "System administration", "parts": [ { - "id": "control-1483-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1412", - "title": "Application hardening", + "id": "control-1381", + "title": "System administration", "parts": [ { - "id": "control-1412-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-1484", - "title": "Application hardening", + "id": "control-1383", + "title": "System administration", "parts": [ { - "id": "control-1484-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1485", - "title": "Application hardening", + "id": "control-1384", + "title": "System administration", "parts": [ { - "id": "control-1485-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." } ] }, { - "id": "control-1486", - "title": "Application hardening", + "id": "control-1385", + "title": "System administration", "parts": [ { - "id": "control-1486-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the Internet." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1541", - "title": "Application hardening", + "id": "control-1386", + "title": "System administration", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1542", - "title": "Application hardening", + "id": "control-1387", + "title": "System administration", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1470", - "title": "Application hardening", + "id": "control-1388", + "title": "System administration", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1235", - "title": "Application hardening", + "id": "control-1211", + "title": "Change management", "parts": [ { - "id": "control-1235-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n§ identification and documentation of requests for change\n§ approval required for changes to be made\n§ implementation and testing of approved changes\n§ the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1487", - "title": "Application hardening", + "id": "control-1143", + "title": "System patching", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1488", - "title": "Application hardening", + "id": "control-1493", + "title": "System patching", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the Internet are blocked." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1489", - "title": "Application hardening", - "parts": [ - { - "id": "control-1489-stmt", - "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ - { - "id": "control-0580", - "title": "Event logging and auditing", + "id": "control-1144", + "title": "System patching", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1405", - "title": "Event logging and auditing", + "id": "control-0940", + "title": "System patching", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0988", - "title": "Event logging and auditing", + "id": "control-1472", + "title": "System patching", "parts": [ { - "id": "control-0988-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0584", - "title": "Event logging and auditing", + "id": "control-1494", + "title": "System patching", "parts": [ { - "id": "control-0584-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0582", - "title": "Event logging and auditing", + "id": "control-1495", + "title": "System patching", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n§ access to important data and processes\n§ application crashes and any error messages\n§ attempts to use special privileges\n§ changes to accounts\n§ changes to security policy\n§ changes to system configurations\n§ Domain Name System (DNS) and Hypertext Transfer Protocol requests\n§ failed attempts to access data and system resources\n§ service failures and restarts\n§ system startup and shutdown\n§ transfer of data to external media\n§ user or group management\n§ use of special privileges." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1536", - "title": "Event logging and auditing", + "id": "control-1496", + "title": "System patching", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n§ attempted access that is denied\n§ crashes and any error messages\n§ search queries initiated by users." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1537", - "title": "Event logging and auditing", + "id": "control-0300", + "title": "System patching", "parts": [ { - "id": "control-1537-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n§ access to particularly important information\n§ addition of new users, especially privileged users\n§ any query containing comments\n§ any query containing multiple embedded queries\n§ any query or database alerts or failures\n§ attempts to elevate privileges\n§ attempted access that is successful or unsuccessful\n§ changes to the database structure\n§ changes to user roles or database permissions\n§ database administrator actions\n§ database logons and logoffs\n§ modifications to data\n§ use of executable commands." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-0585", - "title": "Event logging and auditing", + "id": "control-0298", + "title": "System patching", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-0586", - "title": "Event logging and auditing", + "id": "control-0303", + "title": "System patching", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-0859", - "title": "Event logging and auditing", + "id": "control-1497", + "title": "System patching", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority publication." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-0991", - "title": "Event logging and auditing", + "id": "control-1498", + "title": "System patching", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-0109", - "title": "Event logging and auditing", + "id": "control-1499", + "title": "System patching", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, - { - "id": "control-1228", - "title": "Event logging and auditing", + { + "id": "control-1500", + "title": "System patching", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] - } - ] - }, - { - "id": "vulnerability_management", - "title": "Vulnerability management", - "controls": [ + }, { - "id": "control-1163", - "title": "Vulnerability management", + "id": "control-0304", + "title": "System patching", "parts": [ { - "id": "control-1163-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "A vulnerability management policy is developed and implemented that includes:\n§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities\n§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n§ using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-0911", - "title": "Vulnerability management", + "id": "control-1501", + "title": "System patching", "parts": [ { - "id": "control-0911-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "Vulnerability assessments and penetration tests are conducted by suitably skilled personnel before a system is deployed, after a significant change to a system, and at least annually or as specified by the system owner." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } @@ -5483,2226 +5458,2230 @@ ] }, { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", "groups": [ { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "system_owners", + "title": "System owners", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1071", + "title": "System owners", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1525", + "title": "System owners", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents", + "id": "control-0027", + "title": "System owners", "parts": [ { - "id": "control-0140-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + } + ] + }, + { + "id": "control-1526", + "title": "System owners", + "parts": [ + { + "id": "control-1526-stmt", + "name": "statement", + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] } ] }, { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", "controls": [ { - "id": "control-0125", - "title": "Managing cyber security incidents", + "id": "control-0714", + "title": "Chief Information Security Officer", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n§ the date the cyber security incident occurred\n§ the date the cyber security incident was discovered\n§ a description of the cyber security incident\n§ any actions taken in response to the cyber security incident\n§ to whom the cyber security incident was reported." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-0133", - "title": "Managing cyber security incidents", + "id": "control-1478", + "title": "Chief Information Security Officer", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_network_management", + "title": "Guidelines for Network Management", + "groups": [ + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0917", - "title": "Managing cyber security incidents", + "id": "control-1314", + "title": "Wireless networks", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n§ the infected systems are isolated\n§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n§ antivirus software is used to remove the infection from infected systems and media\n§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0137", - "title": "Managing cyber security incidents", + "id": "control-0536", + "title": "Wireless networks", "parts": [ { - "id": "control-0137-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-1213", - "title": "Managing cyber security incidents", + "id": "control-1315", + "title": "Wireless networks", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0138", - "title": "Managing cyber security incidents", + "id": "control-1316", + "title": "Wireless networks", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." + "prose": "The default SSID of wireless access points is changed." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Detecting cyber security incidents", + "id": "control-1317", + "title": "Wireless networks", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0120", - "title": "Detecting cyber security incidents", + "id": "control-1318", + "title": "Wireless networks", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes." + "prose": "SSID broadcasting is enabled on wireless networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems_management", - "title": "Guidelines for Database Systems Management", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Database servers", + "id": "control-1319", + "title": "Wireless networks", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-1269", - "title": "Database servers", + "id": "control-1320", + "title": "Wireless networks", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-1277", - "title": "Database servers", + "id": "control-1321", + "title": "Wireless networks", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-1270", - "title": "Database servers", + "id": "control-1322", + "title": "Wireless networks", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-1271", - "title": "Database servers", + "id": "control-1324", + "title": "Wireless networks", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database servers’ communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-1272", - "title": "Database servers", + "id": "control-1323", + "title": "Wireless networks", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-1273", - "title": "Database servers", + "id": "control-1325", + "title": "Wireless networks", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Database management system software", + "id": "control-1326", + "title": "Wireless networks", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-1246", - "title": "Database management system software", + "id": "control-1327", + "title": "Wireless networks", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-1247", - "title": "Database management system software", + "id": "control-1330", + "title": "Wireless networks", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-1249", - "title": "Database management system software", + "id": "control-1454", + "title": "Wireless networks", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-1250", - "title": "Database management system software", + "id": "control-1332", + "title": "Wireless networks", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1251", - "title": "Database management system software", + "id": "control-1334", + "title": "Wireless networks", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1260", - "title": "Database management system software", + "id": "control-1335", + "title": "Wireless networks", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1262", - "title": "Database management system software", + "id": "control-1338", + "title": "Wireless networks", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1261", - "title": "Database management system software", + "id": "control-1013", + "title": "Wireless networks", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-1263", - "title": "Database management system software", + "id": "control-0516", + "title": "Network design and configuration", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1264", - "title": "Database management system software", + "id": "control-0518", + "title": "Network design and configuration", "parts": [ { - "id": "control-1264-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Databases", + "id": "control-1178", + "title": "Network design and configuration", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1256", - "title": "Databases", + "id": "control-1181", + "title": "Network design and configuration", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1252", - "title": "Databases", + "id": "control-1532", + "title": "Network design and configuration", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0393", - "title": "Databases", + "id": "control-0529", + "title": "Network design and configuration", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1255", - "title": "Databases", + "id": "control-1364", + "title": "Network design and configuration", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1268", - "title": "Databases", + "id": "control-0535", + "title": "Network design and configuration", "parts": [ { - "id": "control-1268-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-1258", - "title": "Databases", + "id": "control-0530", + "title": "Network design and configuration", "parts": [ { - "id": "control-1258-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-1274", - "title": "Databases", + "id": "control-0521", + "title": "Network design and configuration", "parts": [ { - "id": "control-1274-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1275", - "title": "Databases", + "id": "control-1186", + "title": "Network design and configuration", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-1276", - "title": "Databases", + "id": "control-1428", + "title": "Network design and configuration", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1278", - "title": "Databases", + "id": "control-1429", + "title": "Network design and configuration", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "IPv6 tunnelling is blocked by network security devices at externally connected network boundaries." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage", + "id": "control-1430", + "title": "Network design and configuration", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-1083", - "title": "Mobile device usage", + "id": "control-0520", + "title": "Network design and configuration", "parts": [ { - "id": "control-1083-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0240", - "title": "Mobile device usage", + "id": "control-1182", + "title": "Network design and configuration", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0866", - "title": "Mobile device usage", + "id": "control-1301", + "title": "Network design and configuration", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-1145", - "title": "Mobile device usage", + "id": "control-1304", + "title": "Network design and configuration", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0871", - "title": "Mobile device usage", + "id": "control-0534", + "title": "Network design and configuration", "parts": [ { - "id": "control-0871-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0870", - "title": "Mobile device usage", + "id": "control-0385", + "title": "Network design and configuration", "parts": [ { - "id": "control-0870-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1084", - "title": "Mobile device usage", + "id": "control-1479", + "title": "Network design and configuration", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0701", - "title": "Mobile device usage", + "id": "control-1460", + "title": "Network design and configuration", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n§ the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n§ the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n§ the underlying operating system running on the server is hardened\n§ patches are applied to the isolation mechanism and underlying operating system in a timely manner\n§ integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-0702", - "title": "Mobile device usage", + "id": "control-1462", + "title": "Network design and configuration", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1298", - "title": "Mobile device usage", + "id": "control-1461", + "title": "Network design and configuration", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] }, { - "id": "control-1554", - "title": "Mobile device usage", + "id": "control-1006", + "title": "Network design and configuration", "parts": [ { - "id": "control-1554-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n§ issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n§ advised on how to apply and inspect tamper seals to key areas of devices\n§ advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-1555", - "title": "Mobile device usage", + "id": "control-1311", + "title": "Network design and configuration", "parts": [ { - "id": "control-1555-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n§ record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n§ update all applications and operating systems\n§ remove all non-essential accounts, applications and data\n§ apply security configuration settings, such as lock screens\n§ configure remote locate and wipe functionality\n§ enable encryption, including for any media used\n§ backup all important data and configuration settings." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1299", - "title": "Mobile device usage", + "id": "control-1312", + "title": "Network design and configuration", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n§ never storing credentials with devices that they grant access to, such as in laptop bags\n§ never lending devices to untrusted people, even if briefly\n§ never allowing untrusted people to connect other devices or media to their devices, including for charging\n§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n§ avoiding connecting devices to open or untrusted Wi-Fi networks\n§ using an approved Virtual Private Network to encrypt all device communications\n§ using encrypted mobile applications for communications instead of using foreign telecommunication networks\n§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n§ avoiding reuse of media once used with other parties’ devices or systems\n§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n§ never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-1088", - "title": "Mobile device usage", + "id": "control-1028", + "title": "Network design and configuration", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n§ provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n§ have devices or media stolen that are later returned\n§ lose devices or media that are later found\n§ observe unusual behaviour of devices." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." } ] }, { - "id": "control-1300", - "title": "Mobile device usage", + "id": "control-1030", + "title": "Network design and configuration", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n§ sanitise and reset devices, including all media used with them\n§ decommission any physical credentials that left their possession during their travel\n§ report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1556", - "title": "Mobile device usage", + "id": "control-1185", + "title": "Network design and configuration", "parts": [ { - "id": "control-1556-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n§ reset user credentials used with devices, including those used for remote access to their organisation’s systems\n§ monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", "controls": [ { - "id": "control-1533", - "title": "Mobile device management", + "id": "control-1458", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-1195", - "title": "Mobile device management", + "id": "control-1431", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1195-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n§ their capacity to withstand denial-of-service attacks\n§ any costs likely to be incurred by customers resulting from denial-of-service attacks\n§ thresholds for notifying customers or turning off their online services during denial-of-service attacks\n§ pre-approved actions that can be undertaken during denial-of-service attacks\n§ denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-0687", - "title": "Mobile device management", + "id": "control-1432", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0687-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-1400", - "title": "Mobile device management", + "id": "control-1433", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." } ] }, { - "id": "control-0694", - "title": "Mobile device management", + "id": "control-1434", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1297", - "title": "Mobile device management", + "id": "control-1435", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-1482", - "title": "Mobile device management", + "id": "control-1436", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1482-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0869", - "title": "Mobile device management", + "id": "control-1518", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0869-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] }, { - "id": "control-1085", - "title": "Mobile device management", + "id": "control-1437", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." } ] }, { - "id": "control-1202", - "title": "Mobile device management", + "id": "control-1438", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0682", - "title": "Mobile device management", + "id": "control-1439", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0682-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-1196", - "title": "Mobile device management", + "id": "control-1441", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", + "groups": [ + { + "id": "vulnerability_management", + "title": "Vulnerability management", + "controls": [ { - "id": "control-1200", - "title": "Mobile device management", + "id": "control-1163", + "title": "Vulnerability management", "parts": [ { - "id": "control-1200-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "A vulnerability management policy is developed and implemented that includes:\n§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities\n§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n§ using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1198", - "title": "Mobile device management", + "id": "control-0911", + "title": "Vulnerability management", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0911-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Vulnerability assessments and penetration tests are conducted by suitably skilled personnel before a system is deployed, after a significant change to a system, and at least annually or as specified by the system owner." } ] - }, + } + ] + }, + { + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", + "controls": [ { - "id": "control-1199", - "title": "Mobile device management", + "id": "control-0580", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1199-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-0863", - "title": "Mobile device management", + "id": "control-1405", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0863-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-0864", - "title": "Mobile device management", + "id": "control-0988", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1365", - "title": "Mobile device management", + "id": "control-0584", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1366", - "title": "Mobile device management", + "id": "control-0582", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The following events are logged for operating systems:\n§ access to important data and processes\n§ application crashes and any error messages\n§ attempts to use special privileges\n§ changes to accounts\n§ changes to security policy\n§ changes to system configurations\n§ Domain Name System (DNS) and Hypertext Transfer Protocol requests\n§ failed attempts to access data and system resources\n§ service failures and restarts\n§ system startup and shutdown\n§ transfer of data to external media\n§ user or group management\n§ use of special privileges." } ] }, { - "id": "control-0874", - "title": "Mobile device management", + "id": "control-1536", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the Internet." + "prose": "The following events are logged for web applications:\n§ attempted access that is denied\n§ crashes and any error messages\n§ search queries initiated by users." } ] }, { - "id": "control-0705", - "title": "Mobile device management", + "id": "control-1537", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The following events are logged for databases:\n§ access to particularly important information\n§ addition of new users, especially privileged users\n§ any query containing comments\n§ any query containing multiple embedded queries\n§ any query or database alerts or failures\n§ attempts to elevate privileges\n§ attempted access that is successful or unsuccessful\n§ changes to the database structure\n§ changes to user roles or database permissions\n§ database administrator actions\n§ database logons and logoffs\n§ modifications to data\n§ use of executable commands." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Cable labelling and registration", + "id": "control-0585", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-0202", - "title": "Cable labelling and registration", + "id": "control-0586", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0202-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] }, { - "id": "control-0203", - "title": "Cable labelling and registration", + "id": "control-0859", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority publication." } ] }, { - "id": "control-0204", - "title": "Cable labelling and registration", + "id": "control-0991", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0204-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1095", - "title": "Cable labelling and registration", + "id": "control-0109", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1095-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1096", - "title": "Cable labelling and registration", + "id": "control-1228", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-0206", - "title": "Cable labelling and registration", + "id": "control-1082", + "title": "Mobile device usage", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0208", - "title": "Cable labelling and registration", + "id": "control-1083", + "title": "Mobile device usage", "parts": [ { - "id": "control-0208-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n§ cable identifier\n§ classification\n§ source\n§ destination\n§ site/floor plan diagram\n§ seal numbers (if applicable)." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0211", - "title": "Cable labelling and registration", + "id": "control-0240", + "title": "Mobile device usage", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Cable patching", + "id": "control-0866", + "title": "Mobile device usage", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1093", - "title": "Cable patching", + "id": "control-1145", + "title": "Mobile device usage", "parts": [ { - "id": "control-1093-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0214", - "title": "Cable patching", + "id": "control-0871", + "title": "Mobile device usage", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-1094", - "title": "Cable patching", + "id": "control-0870", + "title": "Mobile device usage", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-0216", - "title": "Cable patching", + "id": "control-1084", + "title": "Mobile device usage", "parts": [ { - "id": "control-0216-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0217", - "title": "Cable patching", + "id": "control-0701", + "title": "Mobile device usage", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n§ a physical barrier in the cabinet is provided to separate patch panels\n§ only personnel holding a Positive Vetting security clearance have access to the cabinet\n§ approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0218", - "title": "Cable patching", + "id": "control-0702", + "title": "Mobile device usage", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security", + "id": "control-1298", + "title": "Mobile device usage", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-0248", - "title": "Emanation security", + "id": "control-1554", + "title": "Mobile device usage", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n§ issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n§ advised on how to apply and inspect tamper seals to key areas of devices\n§ advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-1137", - "title": "Emanation security", + "id": "control-1555", + "title": "Mobile device usage", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n§ record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n§ update all applications and operating systems\n§ remove all non-essential accounts, applications and data\n§ apply security configuration settings, such as lock screens\n§ configure remote locate and wipe functionality\n§ enable encryption, including for any media used\n§ backup all important data and configuration settings." } ] }, { - "id": "control-0932", - "title": "Emanation security", + "id": "control-1299", + "title": "Mobile device usage", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n§ never storing credentials with devices that they grant access to, such as in laptop bags\n§ never lending devices to untrusted people, even if briefly\n§ never allowing untrusted people to connect other devices or media to their devices, including for charging\n§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n§ avoiding connecting devices to open or untrusted Wi-Fi networks\n§ using an approved Virtual Private Network to encrypt all device communications\n§ using encrypted mobile applications for communications instead of using foreign telecommunication networks\n§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n§ avoiding reuse of media once used with other parties’ devices or systems\n§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n§ never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0249", - "title": "Emanation security", + "id": "control-1088", + "title": "Mobile device usage", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n§ provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n§ have devices or media stolen that are later returned\n§ lose devices or media that are later found\n§ observe unusual behaviour of devices." } ] }, { - "id": "control-0246", - "title": "Emanation security", + "id": "control-1300", + "title": "Mobile device usage", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n§ sanitise and reset devices, including all media used with them\n§ decommission any physical credentials that left their possession during their travel\n§ report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0250", - "title": "Emanation security", + "id": "control-1556", + "title": "Mobile device usage", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n§ reset user credentials used with devices, including those used for remote access to their organisation’s systems\n§ monitor accounts for any indicators of compromise, such as failed login attempts." } ] } ] }, { - "id": "cable_management", - "title": "Cable management", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0181", - "title": "Cable management", + "id": "control-1533", + "title": "Mobile device management", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA)." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0926", - "title": "Cable management", + "id": "control-1195", + "title": "Mobile device management", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-0825", - "title": "Cable management", + "id": "control-0687", + "title": "Mobile device management", "parts": [ { - "id": "control-0825-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-0826", - "title": "Cable management", + "id": "control-1400", + "title": "Mobile device management", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-1215", - "title": "Cable management", + "id": "control-0694", + "title": "Mobile device management", "parts": [ { - "id": "control-1215-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Privately-owned mobile devices do not access highly classified systems." } ] }, { - "id": "control-1216", - "title": "Cable management", + "id": "control-1297", + "title": "Mobile device management", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." } ] }, { - "id": "control-1112", - "title": "Cable management", + "id": "control-1482", + "title": "Mobile device management", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-1118", - "title": "Cable management", + "id": "control-0869", + "title": "Mobile device management", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1119", - "title": "Cable management", + "id": "control-1085", + "title": "Mobile device management", "parts": [ { - "id": "control-1119-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-1126", - "title": "Cable management", + "id": "control-1202", + "title": "Mobile device management", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0184", - "title": "Cable management", + "id": "control-0682", + "title": "Mobile device management", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-0187", - "title": "Cable management", + "id": "control-1196", + "title": "Mobile device management", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1111", - "title": "Cable management", + "id": "control-1200", + "title": "Mobile device management", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-0189", - "title": "Cable management", + "id": "control-1198", + "title": "Mobile device management", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-0190", - "title": "Cable management", + "id": "control-1199", + "title": "Mobile device management", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1114", - "title": "Cable management", + "id": "control-0863", + "title": "Mobile device management", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1130", - "title": "Cable management", + "id": "control-0864", + "title": "Mobile device management", "parts": [ { - "id": "control-1130-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1164", - "title": "Cable management", + "id": "control-1365", + "title": "Mobile device management", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-0195", - "title": "Cable management", + "id": "control-1366", + "title": "Mobile device management", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0194", - "title": "Cable management", + "id": "control-0874", + "title": "Mobile device management", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the Internet." } ] }, { - "id": "control-1102", - "title": "Cable management", + "id": "control-0705", + "title": "Mobile device management", "parts": [ { - "id": "control-1102-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ { - "id": "control-1101", - "title": "Cable management", + "id": "control-0938", + "title": "Application hardening", "parts": [ { - "id": "control-1101-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1103", - "title": "Cable management", + "id": "control-1467", + "title": "Application hardening", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1098", - "title": "Cable management", + "id": "control-1483", + "title": "Application hardening", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1100", - "title": "Cable management", + "id": "control-1412", + "title": "Application hardening", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1116", - "title": "Cable management", + "id": "control-1484", + "title": "Application hardening", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-1115", - "title": "Cable management", + "id": "control-1485", + "title": "Application hardening", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-1133", - "title": "Cable management", + "id": "control-1486", + "title": "Application hardening", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Web browsers are configured to block Java from the Internet." } ] }, { - "id": "control-1122", - "title": "Cable management", + "id": "control-1541", + "title": "Application hardening", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-1134", - "title": "Cable management", + "id": "control-1542", + "title": "Application hardening", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1104", - "title": "Cable management", + "id": "control-1470", + "title": "Application hardening", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1105", - "title": "Cable management", + "id": "control-1235", + "title": "Application hardening", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-1106", - "title": "Cable management", + "id": "control-1487", + "title": "Application hardening", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-1107", - "title": "Cable management", + "id": "control-1488", + "title": "Application hardening", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Microsoft Office macros in documents originating from the Internet are blocked." } ] }, { - "id": "control-1109", - "title": "Cable management", + "id": "control-1489", + "title": "Application hardening", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-0198", - "title": "Cable management", + "id": "control-1546", + "title": "Authentication hardening", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1123", - "title": "Cable management", + "id": "control-0974", + "title": "Authentication hardening", "parts": [ { - "id": "control-1123-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1135", - "title": "Cable management", + "id": "control-1173", + "title": "Authentication hardening", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media", + "id": "control-1504", + "title": "Authentication hardening", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media", + "id": "control-1505", + "title": "Authentication hardening", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-0161", - "title": "ICT equipment and media", + "id": "control-1401", + "title": "Authentication hardening", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1559", + "title": "Authentication hardening", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-0225", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1560", + "title": "Authentication hardening", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-0829", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1561", + "title": "Authentication hardening", "parts": [ { - "id": "control-0829-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1058", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1357", + "title": "Authentication hardening", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0222", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0417", + "title": "Authentication hardening", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-0223", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0421", + "title": "Authentication hardening", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with unprotected windows." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-0224", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1557", + "title": "Authentication hardening", "parts": [ { - "id": "control-0224-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0221", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0422", + "title": "Authentication hardening", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities and systems", + "id": "control-1558", + "title": "Authentication hardening", "parts": [ { - "id": "control-0810-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "Passphrases used for single-factor authentication:\n§ are not constructed from song lyrics, movies, literature or any other publically available material\n§ do not form a real sentence in a natural language\n§ are not a list of categorised words." } ] }, { - "id": "control-1053", - "title": "Facilities and systems", + "id": "control-1403", + "title": "Authentication hardening", "parts": [ { - "id": "control-1053-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1530", - "title": "Facilities and systems", + "id": "control-0431", + "title": "Authentication hardening", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0813", - "title": "Facilities and systems", + "id": "control-0976", + "title": "Authentication hardening", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." } ] }, { - "id": "control-1074", - "title": "Facilities and systems", + "id": "control-1227", + "title": "Authentication hardening", "parts": [ { - "id": "control-1074-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." } ] }, { - "id": "control-0157", - "title": "Facilities and systems", + "id": "control-1055", + "title": "Authentication hardening", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-1296", - "title": "Facilities and systems", + "id": "control-0418", + "title": "Authentication hardening", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0164", - "title": "Facilities and systems", + "id": "control-1402", + "title": "Authentication hardening", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Credentials are protected by ensuring:\n§ passwords/passphrases expire every 12 months\n§ passwords/passphrases are stored as salted hashes\n§ password/passphrase stretching is implemented\n§ passwords/passphrases appearing in breach databases are blacklisted\n§ passwords/passphrases are never sent in the clear across networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers_and_content_filtering", - "title": "Guidelines for Data Transfers and Content Filtering", - "groups": [ - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0428", + "title": "Authentication hardening", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Systems are configured with a session or screen lock that:\n§ activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n§ completely conceals all information on the screen\n§ ensures that the screen does not enter a power saving state before the screen or session lock is activated\n§ requires the user to reauthenticate to unlock the system\n§ denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-0408", + "title": "Authentication hardening", "parts": [ { - "id": "control-1524-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0651", - "title": "Content filtering", + "id": "control-0979", + "title": "Authentication hardening", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-0652", - "title": "Content filtering", + "id": "control-1407", + "title": "Operating system hardening", "parts": [ { - "id": "control-0652-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." } ] }, { - "id": "control-1389", - "title": "Content filtering", + "id": "control-1408", + "title": "Operating system hardening", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-1284", - "title": "Content filtering", + "id": "control-1409", + "title": "Operating system hardening", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1286", - "title": "Content filtering", + "id": "control-0383", + "title": "Operating system hardening", "parts": [ { - "id": "control-1286-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1287", - "title": "Content filtering", + "id": "control-0380", + "title": "Operating system hardening", "parts": [ { - "id": "control-1287-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1288", - "title": "Content filtering", + "id": "control-1491", + "title": "Operating system hardening", "parts": [ { - "id": "control-1288-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-1289", - "title": "Content filtering", + "id": "control-1410", + "title": "Operating system hardening", "parts": [ { - "id": "control-1289-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-1290", - "title": "Content filtering", + "id": "control-1469", + "title": "Operating system hardening", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1291", - "title": "Content filtering", + "id": "control-0382", + "title": "Operating system hardening", "parts": [ { - "id": "control-1291-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Users do not have the ability to install, uninstall or disable software." } ] }, { - "id": "control-0649", - "title": "Content filtering", + "id": "control-0843", + "title": "Operating system hardening", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "A whitelist of permitted content types is created and enforced based on business requirements and the results of a risk assessment." + "prose": "An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1292", - "title": "Content filtering", + "id": "control-1490", + "title": "Operating system hardening", "parts": [ { - "id": "control-1292-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0677", - "title": "Content filtering", + "id": "control-0955", + "title": "Operating system hardening", "parts": [ { - "id": "control-0677-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Application whitelisting is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-1293", - "title": "Content filtering", + "id": "control-1471", + "title": "Operating system hardening", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When implementing application whitelisting using publisher certificate rules, both publisher names and product names are used." } ] - } - ] - }, - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfers", + "id": "control-1392", + "title": "Operating system hardening", "parts": [ { - "id": "control-0663-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "When implementing application whitelisting using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0661", - "title": "Data transfers", + "id": "control-1544", + "title": "Operating system hardening", "parts": [ { - "id": "control-0661-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses." } ] }, { - "id": "control-0665", - "title": "Data transfers", + "id": "control-0846", + "title": "Operating system hardening", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application whitelisting mechanisms." } ] }, { - "id": "control-0675", - "title": "Data transfers", + "id": "control-0957", + "title": "Operating system hardening", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." + "prose": "Application whitelisting solutions are configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0664", - "title": "Data transfers", + "id": "control-1414", + "title": "Operating system hardening", "parts": [ { - "id": "control-0664-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0657", - "title": "Data transfers", + "id": "control-1492", + "title": "Operating system hardening", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." } ] }, { - "id": "control-0658", - "title": "Data transfers", + "id": "control-1341", + "title": "Operating system hardening", "parts": [ { - "id": "control-0658-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1187", - "title": "Data transfers", + "id": "control-1034", + "title": "Operating system hardening", "parts": [ { - "id": "control-1187-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-0669", - "title": "Data transfers", + "id": "control-1416", + "title": "Operating system hardening", "parts": [ { - "id": "control-0669-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n§ protective marking checks\n§ data format checks and logging\n§ monitoring to detect overuse/unusual usage patterns\n§ limitations on data types and sizes\n§ keyword searches on all textual data." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1535", - "title": "Data transfers", + "id": "control-1417", + "title": "Operating system hardening", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n§ signature-based detection enabled and set to a high level\n§ heuristic-based detection enabled and set to a high level\n§ detection signatures checked for currency and updated on at least a daily basis\n§ automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-0678", - "title": "Data transfers", + "id": "control-1390", + "title": "Operating system hardening", "parts": [ { - "id": "control-0678-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-0667", - "title": "Data transfers", + "id": "control-1418", + "title": "Operating system hardening", "parts": [ { - "id": "control-0667-stmt", + "id": "control-1418-stmt", + "name": "statement", + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ + { + "id": "control-0039", + "title": "Development and maintenance of security documentation", + "parts": [ + { + "id": "control-0039-stmt", "name": "statement", - "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0660", - "title": "Data transfers", + "id": "control-0047", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-0673", - "title": "Data transfers", + "id": "control-0888", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-0673-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1294", - "title": "Data transfers", + "id": "control-0041", + "title": "System-specific security documentation", "parts": [ { - "id": "control-1294-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." + "prose": "Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1295", - "title": "Data transfers", + "id": "control-0043", + "title": "System-specific security documentation", "parts": [ { - "id": "control-1295-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." + "prose": "Systems have an IRP that covers the following:\n§ guidelines on what constitutes a cyber security incident\n§ the types of incidents likely to be encountered and the expected response to each type\n§ how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n§ other parties which need to be informed in the event of a cyber security incident\n§ the authority, or authorities, responsible for investigating and responding to cyber security incidents\n§ the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n§ the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n§ system contingency measures or a reference to such details if they are located in a separate document." } ] } @@ -7711,536 +7690,557 @@ ] }, { - "id": "guidelines_for_ict_equipment_management", - "title": "Guidelines for ICT Equipment Management", + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", "groups": [ { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", + "id": "application_development", + "title": "Application development", "controls": [ { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0400", + "title": "Application development", "parts": [ { - "id": "control-0313-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "Software development, testing and production environments are segregated." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1419", + "title": "Application development", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1420", + "title": "Application development", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1422", + "title": "Application development", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1238", + "title": "Application development", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-0315", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0401", + "title": "Application development", "parts": [ { - "id": "control-0315-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1218", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0402", + "title": "Application development", "parts": [ { - "id": "control-1218-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + } + ] + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ + { + "id": "control-1239", + "title": "Web application development", + "parts": [ + { + "id": "control-1239-stmt", + "name": "statement", + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0312", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1552", + "title": "Web application development", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0317", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1240", + "title": "Web application development", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1219", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1241", + "title": "Web application development", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1220", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1424", + "title": "Web application development", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1221", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0971", + "title": "Web application development", "parts": [ { - "id": "control-1221-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ + { + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony", + "parts": [ + { + "id": "control-1562-stmt", + "name": "statement", + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0318", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0546", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0318-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-1534", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0547", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1534-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-1076", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0548", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1076-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1222", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0554", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-1223", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0553", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1223-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n§ following device-specific guidance provided by the ACSC\n§ following vendor sanitisation guidance\n§ loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1225", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0555", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1226", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0551", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "IP telephony is configured such that:\n§ IP phones authenticate themselves to the call controller upon registration\n§ auto-registration is disabled and only a whitelist of authorised devices is allowed to access the network\n§ unauthorised devices are blocked by default\n§ all unused and prohibited functionality is disabled." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "ICT equipment maintenance and repairs", + "id": "control-1014", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0305", - "title": "ICT equipment maintenance and repairs", + "id": "control-0549", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0307", - "title": "ICT equipment maintenance and repairs", + "id": "control-0556", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0307-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0306", - "title": "ICT equipment maintenance and repairs", + "id": "control-1015", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n§ is appropriately cleared and briefed\n§ takes due care to ensure that information is not disclosed\n§ takes all responsible measures to ensure the integrity of the ICT equipment\n§ has the authority to direct the technician\n§ is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0310", - "title": "ICT equipment maintenance and repairs", + "id": "control-0558", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0310-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0944", - "title": "ICT equipment maintenance and repairs", + "id": "control-0559", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] - } - ] - }, - { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", - "controls": [ + }, { - "id": "control-1551", - "title": "ICT equipment usage", + "id": "control-1450", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0293", - "title": "ICT equipment usage", + "id": "control-1019", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "A denial of service response plan is developed and implemented that includes:\n§ how to identify signs of a denial of service\n§ how to identify the source of a denial of service\n§ how capabilities can be maintained during a denial of service\n§ what actions can be taken to clear a denial of service." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0294", - "title": "ICT equipment usage", + "id": "control-0588", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0296", - "title": "ICT equipment usage", + "id": "control-1092", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0296-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ + }, { - "id": "control-0714", - "title": "Chief Information Security Officer", + "id": "control-0241", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-1478", - "title": "Chief Information Security Officer", + "id": "control-1075", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System owners", + "id": "control-0590", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1071-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-1525", - "title": "System owners", + "id": "control-0245", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1525-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0027", - "title": "System owners", + "id": "control-0589", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0027-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-1526", - "title": "System owners", + "id": "control-1036", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] } ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ + }, { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0100", - "title": "Information technology and cloud services", + "id": "control-1078", + "title": "Telephone systems", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "Commercial and government gateway and cloud services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-1395", - "title": "Information technology and cloud services", + "id": "control-0229", + "title": "Telephone systems", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "If using outsourced cloud services, only those listed on the ACSC’s Certified Cloud Services List are used." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-1529", - "title": "Information technology and cloud services", + "id": "control-0230", + "title": "Telephone systems", "parts": [ { - "id": "control-1529-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-1396", - "title": "Information technology and cloud services", + "id": "control-0231", + "title": "Telephone systems", "parts": [ { - "id": "control-1396-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "If using an outsourced cloud service not listed on the ACSC’s Certified Cloud Services List, or for highly classified information, the ACSC is notified in writing at the earliest opportunity, and certainly before entering into or renewing a contract." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0873", - "title": "Information technology and cloud services", + "id": "control-0232", + "title": "Telephone systems", "parts": [ { - "id": "control-0873-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "If using an outsourced information technology service, or cloud service not listed on the ACSC’s Certified Cloud Services List, a service provider whose systems are located in Australia is used." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0072", - "title": "Information technology and cloud services", + "id": "control-0233", + "title": "Telephone systems", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-1073", - "title": "Information technology and cloud services", + "id": "control-0235", + "title": "Telephone systems", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-1451", - "title": "Information technology and cloud services", + "id": "control-0236", + "title": "Telephone systems", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-1452", - "title": "Information technology and cloud services", + "id": "control-0931", + "title": "Telephone systems", "parts": [ { - "id": "control-1452-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + } + ] + }, + { + "id": "control-0237", + "title": "Telephone systems", + "parts": [ + { + "id": "control-0237-stmt", + "name": "statement", + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_December_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_December_2020/catalog.json index 4296f54..f173901 100644 --- a/ISM_catalog_profile/catalogs/ISM_December_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_December_2020/catalog.json @@ -1,3352 +1,3216 @@ { "catalog": { - "uuid": "8d28d6e2-a24d-4af0-a3ed-4791226252b2", + "uuid": "08b4094e-ecf5-4f33-84fe-a4601722721c", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:37.779+00:00", + "last-modified": "2022-04-28T11:44:10.864372+10:00", "version": "December_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1510-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0336", + "title": "ICT equipment and media register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0613", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0613-stmt", - "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." - } - ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", - "name": "statement", - "prose": "Roles for the administration of gateways are separated." - } - ] - }, - { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", - "parts": [ - { - "id": "control-1316-stmt", - "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1631", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1631-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Components and services relevant to the security of systems are identified and understood." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Suppliers and service providers identified as high risk are not used." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1632", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1632-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", - "parts": [ - { - "id": "control-1628-stmt", - "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ - { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "application_development", - "title": "Application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0400", - "title": "Development environments", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe) \n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1075-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1247-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1258-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0267-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1603", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1055", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1023-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1620", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Privileged accounts are members of the Protected Users security group." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0572-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-1589-stmt", - "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." - } - ] - }, - { - "id": "control-0574", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-0574-stmt", - "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." - } - ] - }, - { - "id": "control-1183", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-1183-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1151-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] } @@ -3355,1320 +3219,1358 @@ ] }, { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", "groups": [ { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "application_development", + "title": "Application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", - "parts": [ - { - "id": "control-1139-stmt", - "name": "statement", - "prose": "Only the latest version of TLS is used." - } - ] - }, - { - "id": "control-1369", - "title": "Using Transport Layer Security", - "parts": [ - { - "id": "control-1369-stmt", - "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." - } - ] - }, - { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1370-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1374-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1453-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-0471-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1629", - "title": "Using Diffie-Hellman", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1629-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1630", - "title": "Using the Digital Signature Algorithm", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1630-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] - }, - { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0474-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0476-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Cyber security incidents are reported to the ACSC." + } + ] + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ + { + "id": "control-0125", + "title": "Cyber security incident register", + "parts": [ + { + "id": "control-0125-stmt", + "name": "statement", + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1232-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + } + ] + }, + { + "id": "control-1213", + "title": "Post-incident analysis", + "parts": [ + { + "id": "control-1213-stmt", + "name": "statement", + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + } + ] + }, + { + "id": "control-0138", + "title": "Integrity of evidence", + "parts": [ + { + "id": "control-0138-stmt", + "name": "statement", + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] } ] }, { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", "controls": [ { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ + { + "id": "control-1437", + "title": "Cloud-based hosting of online services", + "parts": [ + { + "id": "control-1437-stmt", + "name": "statement", + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + } + ] + }, + { + "id": "control-1436", + "title": "Segregation of critical online services", + "parts": [ + { + "id": "control-1436-stmt", + "name": "statement", + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + } + ] + }, + { + "id": "control-1518", + "title": "Preparing for service continuity", + "parts": [ + { + "id": "control-1518-stmt", + "name": "statement", + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "wireless_networks", + "title": "Wireless networks", "controls": [ { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0457-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", + "parts": [ + { + "id": "control-1335-stmt", + "name": "statement", + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + } + ] + }, + { + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] } ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ + }, { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", + "id": "network_design_and_configuration", + "title": "Network design and configuration", "controls": [ { - "id": "control-0041", - "title": "System security plan", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0041-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-0043-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1563-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", - "parts": [ - { - "id": "control-1564-stmt", - "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." - } - ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ - { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1602-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0252-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1565-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0434-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0415-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-1583-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1525", + "title": "Gaining authorisation to operate systems", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0027", + "title": "Gaining authorisation to operate systems", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1526", + "title": "Monitoring cyber threats, security risks and security controls", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1591-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1610-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1611-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] } @@ -4677,1864 +4579,1951 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0663", + "title": "Data transfer process and procedures", + "parts": [ + { + "id": "control-0663-stmt", + "name": "statement", + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + } + ] + }, + { + "id": "control-0661", + "title": "User responsibilities", + "parts": [ + { + "id": "control-0661-stmt", + "name": "statement", + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + } + ] + }, + { + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1505-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1357-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1557-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1558-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1596-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0321", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0321-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1594-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1595-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1619-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0976-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-1603", - "title": "Insecure authentication methods", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1603-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-1055", - "title": "Insecure authentication methods", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-1620", - "title": "Insecure authentication methods", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1620-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0853", - "title": "Session termination", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-0853-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-1406-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1608-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1588-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0380-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe) \n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1592", - "title": "Application management", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-0955-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1582", - "title": "Application control", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-0846-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1622-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1623-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1624-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "media_usage", + "title": "Media usage", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-0938-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1467-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] } ] }, { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1461-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-0582-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-0585", - "title": "Events log details", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0859-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-0123-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-1629", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1629-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1630-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0137-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1625-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1626-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ + }, { - "id": "mobile_device_usage", - "title": "Mobile device usage", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", "controls": [ { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Only AACPs are used by cryptographic equipment and software." + } + ] + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ + { + "id": "control-0494", + "title": "Mode of operation", + "parts": [ + { + "id": "control-0494-stmt", + "name": "statement", + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } @@ -6543,2502 +6532,2513 @@ ] }, { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", "groups": [ { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", "controls": [ { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0252", + "title": "Providing cyber security awareness training", + "parts": [ + { + "id": "control-0252-stmt", + "name": "statement", + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + } + ] + }, + { + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0201-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0202-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1095-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-0206-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-0214-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0248-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable standards", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0825-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0826-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-0430", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-0430-stmt", + "name": "statement", + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + } + ] + }, + { + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0321", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0321-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-0317-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1220-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1221-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-0318-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-1534-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-1222-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1223-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", - "parts": [ - { - "id": "control-1079-stmt", - "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." - } - ] - }, - { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0306-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0310-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-1598-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] - } - ] - }, - { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", - "controls": [ + }, { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0296-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-1543-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1058-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0224-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-1053-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0663-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0675-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1187-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0669-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] - }, + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0678-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1586-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1294-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] } ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ + }, { - "id": "media_destruction", - "title": "Media destruction", + "id": "gateways", + "title": "Gateways", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", - "parts": [ - { - "id": "control-0363-stmt", - "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." - } - ] - }, - { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0350-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1517-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0361-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0370-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0371-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0840-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Users and services accessing networks through gateways are authenticated." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-1549-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-1359-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0343-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0347-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0375-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0378-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "media_sanitisation", - "title": "Media sanitisation", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0348-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0352-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0835-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ + }, { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-1478-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-1617-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-0725-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0726-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0718-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0731-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1516", + "title": "Testing restoration of backups", + "parts": [ + { + "id": "control-1516-stmt", + "name": "statement", + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + } + ] + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ + { + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-0717-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0735-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1525", - "title": "Gaining authorisation to operate systems", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-0027", - "title": "Gaining authorisation to operate systems", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1526", - "title": "Monitoring cyber threats, security risks and security controls", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-1631", - "title": "Cyber supply chain risk management", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1631-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are identified and understood." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "Suppliers and service providers identified as high risk are not used." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1632", - "title": "Cyber supply chain risk management", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1632-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_December_2021/catalog.json b/ISM_catalog_profile/catalogs/ISM_December_2021/catalog.json new file mode 100644 index 0000000..b426e9c --- /dev/null +++ b/ISM_catalog_profile/catalogs/ISM_December_2021/catalog.json @@ -0,0 +1,9407 @@ +{ + "catalog": { + "uuid": "d2c69629-fdba-4db6-982e-87da16784610", + "metadata": { + "title": "Australian Government Information Security manual", + "last-modified": "2022-03-07T13:44:16.866452+11:00", + "version": "December_2021", + "oscal-version": "1.0.0", + "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" + }, + "groups": [ + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ + { + "id": "control-1551", + "title": "ICT equipment management policy", + "parts": [ + { + "id": "control-1551-stmt", + "name": "statement", + "prose": "An ICT equipment management policy is developed and implemented." + } + ] + }, + { + "id": "control-0336", + "title": "ICT equipment register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment register is maintained and regularly audited." + } + ] + }, + { + "id": "control-0294", + "title": "Labelling ICT equipment", + "parts": [ + { + "id": "control-0294-stmt", + "name": "statement", + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + } + ] + }, + { + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", + "parts": [ + { + "id": "control-0296-stmt", + "name": "statement", + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + } + ] + }, + { + "id": "control-0293", + "title": "Classifying ICT equipment", + "parts": [ + { + "id": "control-0293-stmt", + "name": "statement", + "prose": "ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating." + } + ] + }, + { + "id": "control-1599", + "title": "Handling ICT equipment", + "parts": [ + { + "id": "control-1599-stmt", + "name": "statement", + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + } + ] + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ + { + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", + "parts": [ + { + "id": "control-1079-stmt", + "name": "statement", + "prose": "The ACSC’s approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment." + } + ] + }, + { + "id": "control-0305", + "title": "On-site maintenance and repairs", + "parts": [ + { + "id": "control-0305-stmt", + "name": "statement", + "prose": "Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician." + } + ] + }, + { + "id": "control-0307", + "title": "On-site maintenance and repairs", + "parts": [ + { + "id": "control-0307-stmt", + "name": "statement", + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + } + ] + }, + { + "id": "control-0306", + "title": "On-site maintenance and repairs", + "parts": [ + { + "id": "control-0306-stmt", + "name": "statement", + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that data is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + } + ] + }, + { + "id": "control-0310", + "title": "Off-site maintenance and repairs", + "parts": [ + { + "id": "control-0310-stmt", + "name": "statement", + "prose": "ICT equipment maintained or repaired off site is done so in accordance with the handling requirements for the sensitivity or classification of the ICT equipment." + } + ] + }, + { + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", + "parts": [ + { + "id": "control-1598-stmt", + "name": "statement", + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + } + ] + } + ] + }, + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ + { + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", + "parts": [ + { + "id": "control-0313-stmt", + "name": "statement", + "prose": "ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", + "parts": [ + { + "id": "control-1550-stmt", + "name": "statement", + "prose": "ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1217", + "title": "Sanitisation and disposal of ICT equipment", + "parts": [ + { + "id": "control-1217-stmt", + "name": "statement", + "prose": "Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal." + } + ] + }, + { + "id": "control-0311", + "title": "Sanitisation and disposal of ICT equipment", + "parts": [ + { + "id": "control-0311-stmt", + "name": "statement", + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + } + ] + }, + { + "id": "control-0315", + "title": "Sanitisation and disposal of ICT equipment", + "parts": [ + { + "id": "control-0315-stmt", + "name": "statement", + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + } + ] + }, + { + "id": "control-0321", + "title": "Sanitisation and disposal of ICT equipment", + "parts": [ + { + "id": "control-0321-stmt", + "name": "statement", + "prose": "When disposing of ICT equipment that has been designed or modified to meet emanation security standards, the ACSC is contacted for requirements relating to its disposal." + } + ] + }, + { + "id": "control-0316", + "title": "Sanitisation and disposal of ICT equipment", + "parts": [ + { + "id": "control-0316-stmt", + "name": "statement", + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain." + } + ] + }, + { + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "parts": [ + { + "id": "control-1218-stmt", + "name": "statement", + "prose": "ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ." + } + ] + }, + { + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "parts": [ + { + "id": "control-0312-stmt", + "name": "statement", + "prose": "ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction." + } + ] + }, + { + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-0317-stmt", + "name": "statement", + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + } + ] + }, + { + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1219-stmt", + "name": "statement", + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller." + } + ] + }, + { + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1220-stmt", + "name": "statement", + "prose": "Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen." + } + ] + }, + { + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1221-stmt", + "name": "statement", + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + } + ] + }, + { + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-0318-stmt", + "name": "statement", + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + } + ] + }, + { + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1534-stmt", + "name": "statement", + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + } + ] + }, + { + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", + "parts": [ + { + "id": "control-1076-stmt", + "name": "statement", + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + } + ] + }, + { + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", + "parts": [ + { + "id": "control-1222-stmt", + "name": "statement", + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + } + ] + }, + { + "id": "control-1223", + "title": "Sanitising network devices", + "parts": [ + { + "id": "control-1223-stmt", + "name": "statement", + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided in evaluation documentation\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + } + ] + }, + { + "id": "control-1225", + "title": "Sanitising fax machines", + "parts": [ + { + "id": "control-1225-stmt", + "name": "statement", + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + } + ] + }, + { + "id": "control-1226", + "title": "Sanitising fax machines", + "parts": [ + { + "id": "control-1226-stmt", + "name": "statement", + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ + { + "id": "control-0374", + "title": "Media disposal processes and procedures", + "parts": [ + { + "id": "control-0374-stmt", + "name": "statement", + "prose": "Media disposal processes, and supporting media disposal procedures, are developed and implemented." + } + ] + }, + { + "id": "control-0378", + "title": "Disposal of media", + "parts": [ + { + "id": "control-0378-stmt", + "name": "statement", + "prose": "Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal." + } + ] + }, + { + "id": "control-0375", + "title": "Disposal of media", + "parts": [ + { + "id": "control-0375-stmt", + "name": "statement", + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain." + } + ] + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ + { + "id": "control-1549", + "title": "Media management policy", + "parts": [ + { + "id": "control-1549-stmt", + "name": "statement", + "prose": "A media management policy is developed and implemented." + } + ] + }, + { + "id": "control-1359", + "title": "Removable media usage policy", + "parts": [ + { + "id": "control-1359-stmt", + "name": "statement", + "prose": "A removable media usage policy is developed and implemented." + } + ] + }, + { + "id": "control-1713", + "title": "Removable media register", + "parts": [ + { + "id": "control-1713-stmt", + "name": "statement", + "prose": "A removable media register is maintained and regularly audited." + } + ] + }, + { + "id": "control-0332", + "title": "Labelling media", + "parts": [ + { + "id": "control-0332-stmt", + "name": "statement", + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + } + ] + }, + { + "id": "control-0323", + "title": "Classifying media", + "parts": [ + { + "id": "control-0323-stmt", + "name": "statement", + "prose": "Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification." + } + ] + }, + { + "id": "control-0337", + "title": "Classifying media", + "parts": [ + { + "id": "control-0337-stmt", + "name": "statement", + "prose": "Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification." + } + ] + }, + { + "id": "control-0325", + "title": "Reclassifying media", + "parts": [ + { + "id": "control-0325-stmt", + "name": "statement", + "prose": "Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured." + } + ] + }, + { + "id": "control-0330", + "title": "Reclassifying media", + "parts": [ + { + "id": "control-0330-stmt", + "name": "statement", + "prose": "Before reclassifying media to a lower sensitivity or classification, it is either sanitised or the data it stores is reclassified in consultation with data owners, and a formal administrative decision is made to reclassify the media." + } + ] + }, + { + "id": "control-0831", + "title": "Handling media", + "parts": [ + { + "id": "control-0831-stmt", + "name": "statement", + "prose": "Media is handled in a manner suitable for its sensitivity or classification." + } + ] + }, + { + "id": "control-1059", + "title": "Handling media", + "parts": [ + { + "id": "control-1059-stmt", + "name": "statement", + "prose": "All data stored on media is encrypted." + } + ] + }, + { + "id": "control-1600", + "title": "Sanitising media before first use", + "parts": [ + { + "id": "control-1600-stmt", + "name": "statement", + "prose": "Media is sanitised before it is used for the first time." + } + ] + }, + { + "id": "control-1642", + "title": "Sanitising media before first use", + "parts": [ + { + "id": "control-1642-stmt", + "name": "statement", + "prose": "Media is sanitised before it is reused in a different security domain." + } + ] + }, + { + "id": "control-0347", + "title": "Using media for data transfers", + "parts": [ + { + "id": "control-0347-stmt", + "name": "statement", + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured." + } + ] + }, + { + "id": "control-0947", + "title": "Using media for data transfers", + "parts": [ + { + "id": "control-0947-stmt", + "name": "statement", + "prose": "When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer." + } + ] + } + ] + }, + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ + { + "id": "control-0363", + "title": "Media destruction processes and procedures", + "parts": [ + { + "id": "control-0363-stmt", + "name": "statement", + "prose": "Media destruction processes, and supporting media destruction procedures, are developed and implemented." + } + ] + }, + { + "id": "control-0350", + "title": "Media that cannot be sanitised", + "parts": [ + { + "id": "control-0350-stmt", + "name": "statement", + "prose": "The following media types are destroyed prior to their disposal:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised." + } + ] + }, + { + "id": "control-1361", + "title": "Media destruction equipment", + "parts": [ + { + "id": "control-1361-stmt", + "name": "statement", + "prose": "SCEC or ASIO approved equipment is used when destroying media." + } + ] + }, + { + "id": "control-1160", + "title": "Media destruction equipment", + "parts": [ + { + "id": "control-1160-stmt", + "name": "statement", + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + } + ] + }, + { + "id": "control-1517", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1517-stmt", + "name": "statement", + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + } + ] + }, + { + "id": "control-1722", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1722-stmt", + "name": "statement", + "prose": "Electrostatic memory devices are destroyed using either furnace/incinerator, hammer mill, disintegrator or grinder/sander destruction methods." + } + ] + }, + { + "id": "control-1723", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1723-stmt", + "name": "statement", + "prose": "Magnetic floppy disks are destroyed using either furnace/incinerator, hammer mill, disintegrator, cutting or degausser destruction methods." + } + ] + }, + { + "id": "control-1724", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1724-stmt", + "name": "statement", + "prose": "Magnetic hard disks are destroyed using either furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser destruction methods." + } + ] + }, + { + "id": "control-1725", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1725-stmt", + "name": "statement", + "prose": "Magnetic tapes are destroyed using either furnace/incinerator, hammer mill, disintegrator, cutting or degausser destruction methods." + } + ] + }, + { + "id": "control-1726", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1726-stmt", + "name": "statement", + "prose": "Optical disks are destroyed using either furnace/incinerator, hammer mill, disintegrator, grinder/sander or cutting destruction methods." + } + ] + }, + { + "id": "control-1727", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-1727-stmt", + "name": "statement", + "prose": "Semiconductor memory is destroyed using either furnace/incinerator, hammer mill or disintegrator destruction methods." + } + ] + }, + { + "id": "control-0368", + "title": "Media destruction methods", + "parts": [ + { + "id": "control-0368-stmt", + "name": "statement", + "prose": "Media destroyed using either a hammer mill, disintegrator, grinder/sander or cutting destruction method result in media waste particles no larger than 9 mm." + } + ] + }, + { + "id": "control-1728", + "title": "Treatment of media waste particles", + "parts": [ + { + "id": "control-1728-stmt", + "name": "statement", + "prose": "The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm." + } + ] + }, + { + "id": "control-1729", + "title": "Treatment of media waste particles", + "parts": [ + { + "id": "control-1729-stmt", + "name": "statement", + "prose": "The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm." + } + ] + }, + { + "id": "control-0361", + "title": "Degaussing magnetic media", + "parts": [ + { + "id": "control-0361-stmt", + "name": "statement", + "prose": "Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation." + } + ] + }, + { + "id": "control-0362", + "title": "Degaussing magnetic media", + "parts": [ + { + "id": "control-0362-stmt", + "name": "statement", + "prose": "Any product-specific directions provided by degausser manufacturers are followed." + } + ] + }, + { + "id": "control-1641", + "title": "Degaussing magnetic media", + "parts": [ + { + "id": "control-1641-stmt", + "name": "statement", + "prose": "Following destruction of magnetic media using a degausser, it is physically damaged (such as by deforming the internal platters of hard drives) prior to its disposal." + } + ] + }, + { + "id": "control-0370", + "title": "Supervision of destruction", + "parts": [ + { + "id": "control-0370-stmt", + "name": "statement", + "prose": "The destruction of media is performed under the supervision of at least one person cleared to its sensitivity or classification." + } + ] + }, + { + "id": "control-0371", + "title": "Supervision of destruction", + "parts": [ + { + "id": "control-0371-stmt", + "name": "statement", + "prose": "Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully." + } + ] + }, + { + "id": "control-0372", + "title": "Supervision of accountable material destruction", + "parts": [ + { + "id": "control-0372-stmt", + "name": "statement", + "prose": "The destruction of media storing accountable material is performed under the supervision of at least two personnel cleared to its sensitivity or classification." + } + ] + }, + { + "id": "control-0373", + "title": "Supervision of accountable material destruction", + "parts": [ + { + "id": "control-0373-stmt", + "name": "statement", + "prose": "Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + } + ] + }, + { + "id": "control-0840", + "title": "Outsourcing media destruction", + "parts": [ + { + "id": "control-0840-stmt", + "name": "statement", + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + } + ] + }, + { + "id": "control-0839", + "title": "Outsourcing media destruction", + "parts": [ + { + "id": "control-0839-stmt", + "name": "statement", + "prose": "The destruction of media storing accountable material is not outsourced." + } + ] + } + ] + }, + { + "id": "media_sanitisation", + "title": "Media sanitisation", + "controls": [ + { + "id": "control-0348", + "title": "Media sanitisation processes and procedures", + "parts": [ + { + "id": "control-0348-stmt", + "name": "statement", + "prose": "Media sanitisation processes, and supporting media sanitisation procedures, are developed and implemented." + } + ] + }, + { + "id": "control-0351", + "title": "Volatile media sanitisation", + "parts": [ + { + "id": "control-0351-stmt", + "name": "statement", + "prose": "Volatile media is sanitised by removing its power for at least 10 minutes." + } + ] + }, + { + "id": "control-0352", + "title": "Volatile media sanitisation", + "parts": [ + { + "id": "control-0352-stmt", + "name": "statement", + "prose": "SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification." + } + ] + }, + { + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", + "parts": [ + { + "id": "control-0835-stmt", + "name": "statement", + "prose": "Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + } + ] + }, + { + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", + "parts": [ + { + "id": "control-0354-stmt", + "name": "statement", + "prose": "Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification." + } + ] + }, + { + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", + "parts": [ + { + "id": "control-1065-stmt", + "name": "statement", + "prose": "The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives." + } + ] + }, + { + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", + "parts": [ + { + "id": "control-1067-stmt", + "name": "statement", + "prose": "The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten." + } + ] + }, + { + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", + "parts": [ + { + "id": "control-0356-stmt", + "name": "statement", + "prose": "Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification." + } + ] + }, + { + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "parts": [ + { + "id": "control-0357-stmt", + "name": "statement", + "prose": "Non-volatile EPROM media is sanitised by applying three times the manufacturer’s specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification." + } + ] + }, + { + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "parts": [ + { + "id": "control-0836-stmt", + "name": "statement", + "prose": "Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification." + } + ] + }, + { + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "parts": [ + { + "id": "control-0358-stmt", + "name": "statement", + "prose": "Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification." + } + ] + }, + { + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", + "parts": [ + { + "id": "control-0359-stmt", + "name": "statement", + "prose": "Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification." + } + ] + }, + { + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", + "parts": [ + { + "id": "control-0360-stmt", + "name": "statement", + "prose": "Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification." + } + ] + }, + { + "id": "control-1735", + "title": "Media that cannot be successfully sanitised", + "parts": [ + { + "id": "control-1735-stmt", + "name": "statement", + "prose": "Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_management", + "title": "Mobile device management", + "controls": [ + { + "id": "control-1533", + "title": "Mobile device management policy", + "parts": [ + { + "id": "control-1533-stmt", + "name": "statement", + "prose": "A mobile device management policy is developed and implemented." + } + ] + }, + { + "id": "control-1195", + "title": "Mobile device management policy", + "parts": [ + { + "id": "control-1195-stmt", + "name": "statement", + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + } + ] + }, + { + "id": "control-0687", + "title": "Approval for use", + "parts": [ + { + "id": "control-0687-stmt", + "name": "statement", + "prose": "Mobile devices do not process, store or communicate SECRET or TOP SECRET data until approved for use by the ACSC." + } + ] + }, + { + "id": "control-1297", + "title": "Privately-owned mobile devices", + "parts": [ + { + "id": "control-1297-stmt", + "name": "statement", + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data." + } + ] + }, + { + "id": "control-1400", + "title": "Privately-owned mobile devices", + "parts": [ + { + "id": "control-1400-stmt", + "name": "statement", + "prose": "Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ACSC-approved platform, a security configuration in accordance with ACSC guidance and have enforced separation of work data from any personal data." + } + ] + }, + { + "id": "control-0694", + "title": "Privately-owned mobile devices", + "parts": [ + { + "id": "control-0694-stmt", + "name": "statement", + "prose": "Privately-owned mobile devices do not access SECRET and TOP SECRET systems or data." + } + ] + }, + { + "id": "control-1482", + "title": "Organisation-owned mobile devices", + "parts": [ + { + "id": "control-1482-stmt", + "name": "statement", + "prose": "Personnel accessing systems or data using an organisation-owned mobile device use an ACSC-approved platform with a security configuration in accordance with ACSC guidance." + } + ] + }, + { + "id": "control-0869", + "title": "Storage encryption", + "parts": [ + { + "id": "control-0869-stmt", + "name": "statement", + "prose": "Mobile devices encrypt their internal storage and any removable media." + } + ] + }, + { + "id": "control-1085", + "title": "Communications encryption", + "parts": [ + { + "id": "control-1085-stmt", + "name": "statement", + "prose": "Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure." + } + ] + }, + { + "id": "control-1196", + "title": "Bluetooth functionality", + "parts": [ + { + "id": "control-1196-stmt", + "name": "statement", + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + } + ] + }, + { + "id": "control-1200", + "title": "Bluetooth functionality", + "parts": [ + { + "id": "control-1200-stmt", + "name": "statement", + "prose": "Bluetooth pairing is performed using Secure Connections, preferably with Numeric Comparison if supported." + } + ] + }, + { + "id": "control-1198", + "title": "Bluetooth functionality", + "parts": [ + { + "id": "control-1198-stmt", + "name": "statement", + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + } + ] + }, + { + "id": "control-1199", + "title": "Bluetooth functionality", + "parts": [ + { + "id": "control-1199-stmt", + "name": "statement", + "prose": "Bluetooth pairings are removed when there is no longer a requirement for their use." + } + ] + }, + { + "id": "control-0682", + "title": "Bluetooth functionality", + "parts": [ + { + "id": "control-0682-stmt", + "name": "statement", + "prose": "Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices." + } + ] + }, + { + "id": "control-0863", + "title": "Maintaining mobile device security", + "parts": [ + { + "id": "control-0863-stmt", + "name": "statement", + "prose": "Mobile devices prevent personnel from installing or uninstalling non-approved applications once provisioned." + } + ] + }, + { + "id": "control-0864", + "title": "Maintaining mobile device security", + "parts": [ + { + "id": "control-0864-stmt", + "name": "statement", + "prose": "Mobile devices prevent personnel from disabling or modifying security functionality once provisioned." + } + ] + }, + { + "id": "control-1366", + "title": "Maintaining mobile device security", + "parts": [ + { + "id": "control-1366-stmt", + "name": "statement", + "prose": "Security updates are applied to mobile devices as soon as they become available." + } + ] + }, + { + "id": "control-0874", + "title": "Connecting mobile devices to the internet", + "parts": [ + { + "id": "control-0874-stmt", + "name": "statement", + "prose": "Mobile devices access the internet via a VPN connection to an organisation’s internet gateway rather than via a direct connection to the internet." + } + ] + }, + { + "id": "control-0705", + "title": "Connecting mobile devices to the internet", + "parts": [ + { + "id": "control-0705-stmt", + "name": "statement", + "prose": "When accessing an organisation’s network via a VPN connection, split tunnelling is disabled." + } + ] + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ + { + "id": "control-1082", + "title": "Mobile device usage policy", + "parts": [ + { + "id": "control-1082-stmt", + "name": "statement", + "prose": "A mobile device usage policy is developed and implemented." + } + ] + }, + { + "id": "control-1083", + "title": "Personnel awareness", + "parts": [ + { + "id": "control-1083-stmt", + "name": "statement", + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + } + ] + }, + { + "id": "control-0240", + "title": "Paging, message services and messaging apps", + "parts": [ + { + "id": "control-0240-stmt", + "name": "statement", + "prose": "Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data." + } + ] + }, + { + "id": "control-0866", + "title": "Using mobile devices in public spaces", + "parts": [ + { + "id": "control-0866-stmt", + "name": "statement", + "prose": "Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed." + } + ] + }, + { + "id": "control-1145", + "title": "Using mobile devices in public spaces", + "parts": [ + { + "id": "control-1145-stmt", + "name": "statement", + "prose": "Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices." + } + ] + }, + { + "id": "control-1644", + "title": "Using mobile devices in public spaces", + "parts": [ + { + "id": "control-1644-stmt", + "name": "statement", + "prose": "Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard." + } + ] + }, + { + "id": "control-0871", + "title": "Maintaining control of mobile devices", + "parts": [ + { + "id": "control-0871-stmt", + "name": "statement", + "prose": "Mobile devices are kept under continual direct supervision when being actively used." + } + ] + }, + { + "id": "control-0870", + "title": "Maintaining control of mobile devices", + "parts": [ + { + "id": "control-0870-stmt", + "name": "statement", + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + } + ] + }, + { + "id": "control-1084", + "title": "Maintaining control of mobile devices", + "parts": [ + { + "id": "control-1084-stmt", + "name": "statement", + "prose": "If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + } + ] + }, + { + "id": "control-0701", + "title": "Mobile device emergency sanitisation processes and procedures", + "parts": [ + { + "id": "control-0701-stmt", + "name": "statement", + "prose": "Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed and implemented." + } + ] + }, + { + "id": "control-0702", + "title": "Mobile device emergency sanitisation processes and procedures", + "parts": [ + { + "id": "control-0702-stmt", + "name": "statement", + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures." + } + ] + }, + { + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1298-stmt", + "name": "statement", + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + } + ] + }, + { + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1554-stmt", + "name": "statement", + "prose": "If travelling overseas with mobile devices to high or extreme risk countries, personnel are:\n• issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of mobile devices\n• advised to avoid taking any personal mobile devices, especially if rooted or jailbroken." + } + ] + }, + { + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1555-stmt", + "name": "statement", + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all operating systems and applications\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any removable media\n• backup all important data and configuration settings." + } + ] + }, + { + "id": "control-1299", + "title": "While travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1299-stmt", + "name": "statement", + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving mobile devices or removable media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with mobile devices that they grant access to, such as in laptop bags\n• never lending mobile devices or removable media to untrusted people, even if briefly\n• never allowing untrusted people to connect their mobile devices or removable media, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting mobile devices to open or untrusted Wi-Fi networks\n• using a VPN connection to encrypt all mobile device communications\n• using encrypted messaging apps for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of removable media once used with other parties’ systems or mobile devices\n• ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling." + } + ] + }, + { + "id": "control-1088", + "title": "While travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1088-stmt", + "name": "statement", + "prose": "Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials to foreign government officials\n• decrypt mobile devices for foreign government officials\n• have mobile devices taken out of sight by foreign government officials\n• have mobile devices or removable media stolen that are later returned\n• lose mobile devices or removable media that are later found\n• observe unusual behaviour of mobile devices." + } + ] + }, + { + "id": "control-1300", + "title": "After travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1300-stmt", + "name": "statement", + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset mobile devices, including all removable media\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any mobile devices or removable media." + } + ] + }, + { + "id": "control-1556", + "title": "After travelling overseas with mobile devices", + "parts": [ + { + "id": "control-1556-stmt", + "name": "statement", + "prose": "If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with mobile devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed logon attempts." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ + { + "id": "control-1510", + "title": "Digital preservation policy", + "parts": [ + { + "id": "control-1510-stmt", + "name": "statement", + "prose": "A digital preservation policy is developed and implemented." + } + ] + }, + { + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", + "parts": [ + { + "id": "control-1547-stmt", + "name": "statement", + "prose": "Data backup processes, and supporting data backup procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", + "parts": [ + { + "id": "control-1548-stmt", + "name": "statement", + "prose": "Data restoration processes, and supporting data restoration procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1511", + "title": "Performing and retaining backups", + "parts": [ + { + "id": "control-1511-stmt", + "name": "statement", + "prose": "Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements." + } + ] + }, + { + "id": "control-1705", + "title": "Backup access and modification", + "parts": [ + { + "id": "control-1705-stmt", + "name": "statement", + "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators) cannot access other account’s backups." + } + ] + }, + { + "id": "control-1706", + "title": "Backup access and modification", + "parts": [ + { + "id": "control-1706-stmt", + "name": "statement", + "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators) can’t access their own account’s backups." + } + ] + }, + { + "id": "control-1707", + "title": "Backup access and modification", + "parts": [ + { + "id": "control-1707-stmt", + "name": "statement", + "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups." + } + ] + }, + { + "id": "control-1708", + "title": "Backup access and modification", + "parts": [ + { + "id": "control-1708-stmt", + "name": "statement", + "prose": "Backup administrators (excluding backup break glass accounts), are prevented from modifying or deleting backups." + } + ] + }, + { + "id": "control-1515", + "title": "Testing restoration of backups", + "parts": [ + { + "id": "control-1515-stmt", + "name": "statement", + "prose": "Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises." + } + ] + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ + { + "id": "control-0042", + "title": "System administration processes and procedures", + "parts": [ + { + "id": "control-0042-stmt", + "name": "statement", + "prose": "System administration processes, and supporting system administration procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1380", + "title": "Separate privileged operating environments", + "parts": [ + { + "id": "control-1380-stmt", + "name": "statement", + "prose": "Privileged users use separate privileged and unprivileged operating environments." + } + ] + }, + { + "id": "control-1687", + "title": "Separate privileged operating environments", + "parts": [ + { + "id": "control-1687-stmt", + "name": "statement", + "prose": "Privileged operating environments are not virtualised within unprivileged operating environments." + } + ] + }, + { + "id": "control-1688", + "title": "Separate privileged operating environments", + "parts": [ + { + "id": "control-1688-stmt", + "name": "statement", + "prose": "Unprivileged accounts cannot logon to privileged operating environments." + } + ] + }, + { + "id": "control-1689", + "title": "Separate privileged operating environments", + "parts": [ + { + "id": "control-1689-stmt", + "name": "statement", + "prose": "Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." + } + ] + }, + { + "id": "control-1381", + "title": "Separate privileged operating environments", + "parts": [ + { + "id": "control-1381-stmt", + "name": "statement", + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + } + ] + }, + { + "id": "control-1383", + "title": "Separate privileged operating environments", + "parts": [ + { + "id": "control-1383-stmt", + "name": "statement", + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + } + ] + }, + { + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", + "parts": [ + { + "id": "control-1385-stmt", + "name": "statement", + "prose": "Administrator workstations are placed into a separate network zone to user workstations." + } + ] + }, + { + "id": "control-1386", + "title": "Restriction of management traffic flows", + "parts": [ + { + "id": "control-1386-stmt", + "name": "statement", + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + } + ] + }, + { + "id": "control-1387", + "title": "Jump servers", + "parts": [ + { + "id": "control-1387-stmt", + "name": "statement", + "prose": "Administrative activities are conducted through jump servers." + } + ] + }, + { + "id": "control-1388", + "title": "Jump servers", + "parts": [ + { + "id": "control-1388-stmt", + "name": "statement", + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + } + ] + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ + { + "id": "control-1211", + "title": "Change management processes and procedures", + "parts": [ + { + "id": "control-1211-stmt", + "name": "statement", + "prose": "Change management processes, and supporting change management procedures, are developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + } + ] + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ + { + "id": "control-1143", + "title": "Patch management processes and procedures", + "parts": [ + { + "id": "control-1143-stmt", + "name": "statement", + "prose": "Patch management processes, and supporting patch management procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1493", + "title": "Patch management processes and procedures", + "parts": [ + { + "id": "control-1493-stmt", + "name": "statement", + "prose": "Software registers are maintained and regularly audited for workstations, servers, mobile devices, network devices and all other ICT equipment." + } + ] + }, + { + "id": "control-1643", + "title": "Patch management processes and procedures", + "parts": [ + { + "id": "control-1643-stmt", + "name": "statement", + "prose": "Software registers contain versions and patch histories of applications, drivers, operating systems and firmware." + } + ] + }, + { + "id": "control-1690", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1690-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + } + ] + }, + { + "id": "control-1691", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1691-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release." + } + ] + }, + { + "id": "control-1692", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1692-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists." + } + ] + }, + { + "id": "control-1693", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1693-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month." + } + ] + }, + { + "id": "control-1694", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1694-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + } + ] + }, + { + "id": "control-1695", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1695-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release." + } + ] + }, + { + "id": "control-1696", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1696-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists." + } + ] + }, + { + "id": "control-1697", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-1697-stmt", + "name": "statement", + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists." + } + ] + }, + { + "id": "control-0300", + "title": "When to patch security vulnerabilities", + "parts": [ + { + "id": "control-0300-stmt", + "name": "statement", + "prose": "High assurance ICT equipment is only patched or updated when approved by the ACSC using methods and timeframes prescribed by the ACSC." + } + ] + }, + { + "id": "control-0298", + "title": "How to patch security vulnerabilities", + "parts": [ + { + "id": "control-0298-stmt", + "name": "statement", + "prose": "A centralised and managed approach is used to patch or update applications and drivers." + } + ] + }, + { + "id": "control-0303", + "title": "How to patch security vulnerabilities", + "parts": [ + { + "id": "control-0303-stmt", + "name": "statement", + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + } + ] + }, + { + "id": "control-1497", + "title": "How to patch security vulnerabilities", + "parts": [ + { + "id": "control-1497-stmt", + "name": "statement", + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + } + ] + }, + { + "id": "control-1498", + "title": "How to patch security vulnerabilities", + "parts": [ + { + "id": "control-1498-stmt", + "name": "statement", + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + } + ] + }, + { + "id": "control-1499", + "title": "How to patch security vulnerabilities", + "parts": [ + { + "id": "control-1499-stmt", + "name": "statement", + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + } + ] + }, + { + "id": "control-1500", + "title": "How to patch security vulnerabilities", + "parts": [ + { + "id": "control-1500-stmt", + "name": "statement", + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + } + ] + }, + { + "id": "control-1698", + "title": "Scanning for missing patches", + "parts": [ + { + "id": "control-1698-stmt", + "name": "statement", + "prose": "A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services." + } + ] + }, + { + "id": "control-1699", + "title": "Scanning for missing patches", + "parts": [ + { + "id": "control-1699-stmt", + "name": "statement", + "prose": "A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products." + } + ] + }, + { + "id": "control-1700", + "title": "Scanning for missing patches", + "parts": [ + { + "id": "control-1700-stmt", + "name": "statement", + "prose": "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications." + } + ] + }, + { + "id": "control-1701", + "title": "Scanning for missing patches", + "parts": [ + { + "id": "control-1701-stmt", + "name": "statement", + "prose": "A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services." + } + ] + }, + { + "id": "control-1702", + "title": "Scanning for missing patches", + "parts": [ + { + "id": "control-1702-stmt", + "name": "statement", + "prose": "A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices." + } + ] + }, + { + "id": "control-1703", + "title": "Scanning for missing patches", + "parts": [ + { + "id": "control-1703-stmt", + "name": "statement", + "prose": "A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in drivers and firmware." + } + ] + }, + { + "id": "control-1704", + "title": "Cessation of support", + "parts": [ + { + "id": "control-1704-stmt", + "name": "statement", + "prose": "Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed." + } + ] + }, + { + "id": "control-0304", + "title": "Cessation of support", + "parts": [ + { + "id": "control-0304-stmt", + "name": "statement", + "prose": "Applications that are no longer supported by vendors are removed." + } + ] + }, + { + "id": "control-1501", + "title": "Cessation of support", + "parts": [ + { + "id": "control-1501-stmt", + "name": "statement", + "prose": "Operating systems that are no longer supported by vendors are replaced." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ + { + "id": "control-0663", + "title": "Data transfer processes and procedures", + "parts": [ + { + "id": "control-0663-stmt", + "name": "statement", + "prose": "Data transfer processes, and supporting data transfer procedures, are developed and implemented." + } + ] + }, + { + "id": "control-0661", + "title": "User responsibilities", + "parts": [ + { + "id": "control-0661-stmt", + "name": "statement", + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + } + ] + }, + { + "id": "control-0664", + "title": "Data transfer approval", + "parts": [ + { + "id": "control-0664-stmt", + "name": "statement", + "prose": "All data transferred from a SECRET or TOP SECRET system to any other system is reviewed and approved by a trusted source." + } + ] + }, + { + "id": "control-0675", + "title": "Data transfer approval", + "parts": [ + { + "id": "control-0675-stmt", + "name": "statement", + "prose": "A trusted source signs all data authorised for export from a SECRET or TOP SECRET system." + } + ] + }, + { + "id": "control-0665", + "title": "Data transfer approval", + "parts": [ + { + "id": "control-0665-stmt", + "name": "statement", + "prose": "Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by an organisation’s Chief Information Security Officer." + } + ] + }, + { + "id": "control-0657", + "title": "Import of data", + "parts": [ + { + "id": "control-0657-stmt", + "name": "statement", + "prose": "Data imported to a system is scanned for malicious and active content." + } + ] + }, + { + "id": "control-0658", + "title": "Import of data", + "parts": [ + { + "id": "control-0658-stmt", + "name": "statement", + "prose": "Data imported to a SECRET or TOP SECRET system undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + } + ] + }, + { + "id": "control-1187", + "title": "Export of data", + "parts": [ + { + "id": "control-1187-stmt", + "name": "statement", + "prose": "When exporting data from a system, protective marking checks are undertaken." + } + ] + }, + { + "id": "control-0669", + "title": "Export of data", + "parts": [ + { + "id": "control-0669-stmt", + "name": "statement", + "prose": "When exporting data from a SECRET or TOP SECRET system, the following activities are undertaken:\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + } + ] + }, + { + "id": "control-1535", + "title": "Preventing export of highly sensitive data to foreign systems", + "parts": [ + { + "id": "control-1535-stmt", + "name": "statement", + "prose": "Processes, and supporting procedures, are developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + } + ] + }, + { + "id": "control-0678", + "title": "Preventing export of highly sensitive data to foreign systems", + "parts": [ + { + "id": "control-0678-stmt", + "name": "statement", + "prose": "When exporting AUSTEO or AGAO data from a system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + } + ] + }, + { + "id": "control-1586", + "title": "Monitoring data import and export", + "parts": [ + { + "id": "control-1586-stmt", + "name": "statement", + "prose": "Data transfer logs are used to record all data imports and exports from systems." + } + ] + }, + { + "id": "control-1294", + "title": "Monitoring data import and export", + "parts": [ + { + "id": "control-1294-stmt", + "name": "statement", + "prose": "Data transfer logs for systems are partially audited at least monthly." + } + ] + }, + { + "id": "control-0660", + "title": "Monitoring data import and export", + "parts": [ + { + "id": "control-0660-stmt", + "name": "statement", + "prose": "Data transfer logs for SECRET and TOP SECRET systems are fully audited at least monthly." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ + { + "id": "control-0569", + "title": "Centralised email gateways", + "parts": [ + { + "id": "control-0569-stmt", + "name": "statement", + "prose": "Email is routed through a centralised email gateway." + } + ] + }, + { + "id": "control-0571", + "title": "Centralised email gateways", + "parts": [ + { + "id": "control-0571-stmt", + "name": "statement", + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + } + ] + }, + { + "id": "control-0570", + "title": "Email gateway maintenance activities", + "parts": [ + { + "id": "control-0570-stmt", + "name": "statement", + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + } + ] + }, + { + "id": "control-0567", + "title": "Open relay email servers", + "parts": [ + { + "id": "control-0567-stmt", + "name": "statement", + "prose": "Email servers only relay emails destined for or originating from their domains." + } + ] + }, + { + "id": "control-0572", + "title": "Email server transport encryption", + "parts": [ + { + "id": "control-0572-stmt", + "name": "statement", + "prose": "Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + } + ] + }, + { + "id": "control-1589", + "title": "Email server transport encryption", + "parts": [ + { + "id": "control-1589-stmt", + "name": "statement", + "prose": "MTA-STS is enabled to prevent the transfer of unencrypted emails between complying servers." + } + ] + }, + { + "id": "control-0574", + "title": "Sender Policy Framework", + "parts": [ + { + "id": "control-0574-stmt", + "name": "statement", + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + } + ] + }, + { + "id": "control-1183", + "title": "Sender Policy Framework", + "parts": [ + { + "id": "control-1183-stmt", + "name": "statement", + "prose": "A hard fail SPF record is used when specifying email servers." + } + ] + }, + { + "id": "control-1151", + "title": "Sender Policy Framework", + "parts": [ + { + "id": "control-1151-stmt", + "name": "statement", + "prose": "SPF is used to verify the authenticity of incoming emails." + } + ] + }, + { + "id": "control-1152", + "title": "Sender Policy Framework", + "parts": [ + { + "id": "control-1152-stmt", + "name": "statement", + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + } + ] + }, + { + "id": "control-0861", + "title": "DomainKeys Identified Mail", + "parts": [ + { + "id": "control-0861-stmt", + "name": "statement", + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + } + ] + }, + { + "id": "control-1026", + "title": "DomainKeys Identified Mail", + "parts": [ + { + "id": "control-1026-stmt", + "name": "statement", + "prose": "DKIM signatures on received emails are verified." + } + ] + }, + { + "id": "control-1027", + "title": "DomainKeys Identified Mail", + "parts": [ + { + "id": "control-1027-stmt", + "name": "statement", + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + } + ] + }, + { + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", + "parts": [ + { + "id": "control-1540-stmt", + "name": "statement", + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + } + ] + }, + { + "id": "control-1234", + "title": "Email content filtering", + "parts": [ + { + "id": "control-1234-stmt", + "name": "statement", + "prose": "Email content filtering controls are implemented for email bodies and attachments." + } + ] + }, + { + "id": "control-1502", + "title": "Blocking suspicious emails", + "parts": [ + { + "id": "control-1502-stmt", + "name": "statement", + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + } + ] + }, + { + "id": "control-1024", + "title": "Undeliverable messages", + "parts": [ + { + "id": "control-1024-stmt", + "name": "statement", + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + } + ] + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ + { + "id": "control-0264", + "title": "Email usage policy", + "parts": [ + { + "id": "control-0264-stmt", + "name": "statement", + "prose": "An email usage policy is developed and implemented." + } + ] + }, + { + "id": "control-0267", + "title": "Webmail services", + "parts": [ + { + "id": "control-0267-stmt", + "name": "statement", + "prose": "Access to non-approved webmail services is blocked." + } + ] + }, + { + "id": "control-0270", + "title": "Protective markings for emails", + "parts": [ + { + "id": "control-0270-stmt", + "name": "statement", + "prose": "Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments." + } + ] + }, + { + "id": "control-0271", + "title": "Protective marking tools", + "parts": [ + { + "id": "control-0271-stmt", + "name": "statement", + "prose": "Protective marking tools do not automatically insert protective markings into emails." + } + ] + }, + { + "id": "control-0272", + "title": "Protective marking tools", + "parts": [ + { + "id": "control-0272-stmt", + "name": "statement", + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + } + ] + }, + { + "id": "control-1089", + "title": "Protective marking tools", + "parts": [ + { + "id": "control-1089-stmt", + "name": "statement", + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + } + ] + }, + { + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", + "parts": [ + { + "id": "control-0565-stmt", + "name": "statement", + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + } + ] + }, + { + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", + "parts": [ + { + "id": "control-1023-stmt", + "name": "statement", + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + } + ] + }, + { + "id": "control-0269", + "title": "Email distribution lists", + "parts": [ + { + "id": "control-0269-stmt", + "name": "statement", + "prose": "Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ + { + "id": "control-1071", + "title": "System ownership and oversight", + "parts": [ + { + "id": "control-1071-stmt", + "name": "statement", + "prose": "Each system has a designated system owner." + } + ] + }, + { + "id": "control-1525", + "title": "System ownership and oversight", + "parts": [ + { + "id": "control-1525-stmt", + "name": "statement", + "prose": "System owners register each system with its authorising officer." + } + ] + }, + { + "id": "control-1633", + "title": "Protecting systems and their resources", + "parts": [ + { + "id": "control-1633-stmt", + "name": "statement", + "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." + } + ] + }, + { + "id": "control-1634", + "title": "Protecting systems and their resources", + "parts": [ + { + "id": "control-1634-stmt", + "name": "statement", + "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." + } + ] + }, + { + "id": "control-1635", + "title": "Protecting systems and their resources", + "parts": [ + { + "id": "control-1635-stmt", + "name": "statement", + "prose": "System owners implement security controls for each system and its operating environment." + } + ] + }, + { + "id": "control-1636", + "title": "Protecting systems and their resources", + "parts": [ + { + "id": "control-1636-stmt", + "name": "statement", + "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." + } + ] + }, + { + "id": "control-0027", + "title": "Protecting systems and their resources", + "parts": [ + { + "id": "control-0027-stmt", + "name": "statement", + "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." + } + ] + }, + { + "id": "control-1526", + "title": "Protecting systems and their resources", + "parts": [ + { + "id": "control-1526-stmt", + "name": "statement", + "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." + } + ] + }, + { + "id": "control-1587", + "title": "Annual reporting of system security status", + "parts": [ + { + "id": "control-1587-stmt", + "name": "statement", + "prose": "System owners report the security status of each system to its authorising officer at least annually." + } + ] + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ + { + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", + "parts": [ + { + "id": "control-0714-stmt", + "name": "statement", + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + } + ] + }, + { + "id": "control-1478", + "title": "Overseeing the cyber security program", + "parts": [ + { + "id": "control-1478-stmt", + "name": "statement", + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + } + ] + }, + { + "id": "control-1617", + "title": "Overseeing the cyber security program", + "parts": [ + { + "id": "control-1617-stmt", + "name": "statement", + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + } + ] + }, + { + "id": "control-0724", + "title": "Overseeing the cyber security program", + "parts": [ + { + "id": "control-0724-stmt", + "name": "statement", + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + } + ] + }, + { + "id": "control-0725", + "title": "Coordinating cyber security", + "parts": [ + { + "id": "control-0725-stmt", + "name": "statement", + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis." + } + ] + }, + { + "id": "control-0726", + "title": "Coordinating cyber security", + "parts": [ + { + "id": "control-0726-stmt", + "name": "statement", + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + } + ] + }, + { + "id": "control-0718", + "title": "Reporting on cyber security", + "parts": [ + { + "id": "control-0718-stmt", + "name": "statement", + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + } + ] + }, + { + "id": "control-0733", + "title": "Overseeing incident response activities", + "parts": [ + { + "id": "control-0733-stmt", + "name": "statement", + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + } + ] + }, + { + "id": "control-1618", + "title": "Overseeing incident response activities", + "parts": [ + { + "id": "control-1618-stmt", + "name": "statement", + "prose": "The CISO oversees their organisation’s response to cyber security incidents." + } + ] + }, + { + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", + "parts": [ + { + "id": "control-0734-stmt", + "name": "statement", + "prose": "The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + } + ] + }, + { + "id": "control-0720", + "title": "Developing a cyber security communications strategy", + "parts": [ + { + "id": "control-0720-stmt", + "name": "statement", + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + } + ] + }, + { + "id": "control-0731", + "title": "Working with suppliers and service providers", + "parts": [ + { + "id": "control-0731-stmt", + "name": "statement", + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + } + ] + }, + { + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", + "parts": [ + { + "id": "control-0732-stmt", + "name": "statement", + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + } + ] + }, + { + "id": "control-0717", + "title": "Overseeing cyber security personnel", + "parts": [ + { + "id": "control-0717-stmt", + "name": "statement", + "prose": "The CISO oversees the management of cyber security personnel within their organisation." + } + ] + }, + { + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", + "parts": [ + { + "id": "control-0735-stmt", + "name": "statement", + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ + { + "id": "control-1139", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1139-stmt", + "name": "statement", + "prose": "Only the latest version of TLS is used." + } + ] + }, + { + "id": "control-1369", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1369-stmt", + "name": "statement", + "prose": "AES in Galois Counter Mode is used for symmetric encryption." + } + ] + }, + { + "id": "control-1370", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1370-stmt", + "name": "statement", + "prose": "Only server-initiated secure renegotiation is used." + } + ] + }, + { + "id": "control-1372", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1372-stmt", + "name": "statement", + "prose": "DH or ECDH is used for key establishment." + } + ] + }, + { + "id": "control-1448", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1448-stmt", + "name": "statement", + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + } + ] + }, + { + "id": "control-1373", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1373-stmt", + "name": "statement", + "prose": "Anonymous DH is not used." + } + ] + }, + { + "id": "control-1374", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1374-stmt", + "name": "statement", + "prose": "SHA-2-based certificates are used." + } + ] + }, + { + "id": "control-1375", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1375-stmt", + "name": "statement", + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + } + ] + }, + { + "id": "control-1553", + "title": "Using Transport Layer Security", + "parts": [ + { + "id": "control-1553-stmt", + "name": "statement", + "prose": "TLS compression is disabled." + } + ] + }, + { + "id": "control-1453", + "title": "Perfect Forward Secrecy", + "parts": [ + { + "id": "control-1453-stmt", + "name": "statement", + "prose": "PFS is used for TLS connections." + } + ] + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ + { + "id": "control-0494", + "title": "Mode of operation", + "parts": [ + { + "id": "control-0494-stmt", + "name": "statement", + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + } + ] + }, + { + "id": "control-0496", + "title": "Protocol selection", + "parts": [ + { + "id": "control-0496-stmt", + "name": "statement", + "prose": "The ESP protocol is used for IPsec connections." + } + ] + }, + { + "id": "control-1233", + "title": "Key exchange", + "parts": [ + { + "id": "control-1233-stmt", + "name": "statement", + "prose": "IKE is used for key exchange when establishing an IPsec connection." + } + ] + }, + { + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", + "parts": [ + { + "id": "control-0497-stmt", + "name": "statement", + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + } + ] + }, + { + "id": "control-0498", + "title": "Security association lifetimes", + "parts": [ + { + "id": "control-0498-stmt", + "name": "statement", + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + } + ] + }, + { + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", + "parts": [ + { + "id": "control-0998-stmt", + "name": "statement", + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + } + ] + }, + { + "id": "control-0999", + "title": "Diffie-Hellman groups", + "parts": [ + { + "id": "control-0999-stmt", + "name": "statement", + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + } + ] + }, + { + "id": "control-1000", + "title": "Perfect Forward Secrecy", + "parts": [ + { + "id": "control-1000-stmt", + "name": "statement", + "prose": "PFS is used for IPsec connections." + } + ] + }, + { + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", + "parts": [ + { + "id": "control-1001-stmt", + "name": "statement", + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + } + ] + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ + { + "id": "control-0501", + "title": "Cryptographic equipment", + "parts": [ + { + "id": "control-0501-stmt", + "name": "statement", + "prose": "Keyed cryptographic equipment is transported based on the sensitivity or classification of the keying material in it." + } + ] + }, + { + "id": "control-0142", + "title": "Cryptographic equipment", + "parts": [ + { + "id": "control-0142-stmt", + "name": "statement", + "prose": "The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + } + ] + }, + { + "id": "control-1091", + "title": "Cryptographic equipment", + "parts": [ + { + "id": "control-1091-stmt", + "name": "statement", + "prose": "Keying material is changed when compromised or suspected of being compromised." + } + ] + }, + { + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", + "parts": [ + { + "id": "control-0499-stmt", + "name": "statement", + "prose": "All communications security and equipment-specific doctrine produced by the ACSC for the management and use of HACE is complied with." + } + ] + }, + { + "id": "control-0506", + "title": "High Assurance Cryptographic Equipment", + "parts": [ + { + "id": "control-0506-stmt", + "name": "statement", + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + } + ] + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ + { + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", + "parts": [ + { + "id": "control-0481-stmt", + "name": "statement", + "prose": "Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software." + } + ] + } + ] + }, + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ + { + "id": "control-1506", + "title": "Configuring Secure Shell", + "parts": [ + { + "id": "control-1506-stmt", + "name": "statement", + "prose": "The use of SSH version 1 is disabled." + } + ] + }, + { + "id": "control-0484", + "title": "Configuring Secure Shell", + "parts": [ + { + "id": "control-0484-stmt", + "name": "statement", + "prose": "The SSH daemon is configured to:\n• only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)\n• have a suitable login banner (Banner x)\n• have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)\n• disable host-based authentication (HostbasedAuthentication no)\n• disable rhosts-based authentication (IgnoreRhosts yes)\n• disable the ability to login directly as root (PermitRootLogin no)\n• disable empty passwords (PermitEmptyPasswords no)\n• disable connection forwarding (AllowTCPForwarding no)\n• disable gateway ports (GatewayPorts no)\n• disable X11 forwarding (X11Forwarding no)." + } + ] + }, + { + "id": "control-0485", + "title": "Authentication mechanisms", + "parts": [ + { + "id": "control-0485-stmt", + "name": "statement", + "prose": "Public key-based authentication is used for SSH connections." + } + ] + }, + { + "id": "control-1449", + "title": "Authentication mechanisms", + "parts": [ + { + "id": "control-1449-stmt", + "name": "statement", + "prose": "SSH private keys are protected with a passphrase or a key encryption key." + } + ] + }, + { + "id": "control-0487", + "title": "Automated remote access", + "parts": [ + { + "id": "control-0487-stmt", + "name": "statement", + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + } + ] + }, + { + "id": "control-0488", + "title": "Automated remote access", + "parts": [ + { + "id": "control-0488-stmt", + "name": "statement", + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + } + ] + }, + { + "id": "control-0489", + "title": "SSH-agent", + "parts": [ + { + "id": "control-0489-stmt", + "name": "statement", + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + } + ] + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ + { + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", + "parts": [ + { + "id": "control-0490-stmt", + "name": "statement", + "prose": "Versions of S/MIME earlier than 3.0 are not used." + } + ] + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ + { + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", + "parts": [ + { + "id": "control-0471-stmt", + "name": "statement", + "prose": "Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software." + } + ] + }, + { + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", + "parts": [ + { + "id": "control-0994-stmt", + "name": "statement", + "prose": "ECDH and ECDSA are used in preference to DH and DSA." + } + ] + }, + { + "id": "control-0472", + "title": "Using Diffie-Hellman", + "parts": [ + { + "id": "control-0472-stmt", + "name": "statement", + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + } + ] + }, + { + "id": "control-1629", + "title": "Using Diffie-Hellman", + "parts": [ + { + "id": "control-1629-stmt", + "name": "statement", + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + } + ] + }, + { + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", + "parts": [ + { + "id": "control-0473-stmt", + "name": "statement", + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + } + ] + }, + { + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", + "parts": [ + { + "id": "control-1630-stmt", + "name": "statement", + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + } + ] + }, + { + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", + "parts": [ + { + "id": "control-1446-stmt", + "name": "statement", + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + } + ] + }, + { + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", + "parts": [ + { + "id": "control-0474-stmt", + "name": "statement", + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + } + ] + }, + { + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", + "parts": [ + { + "id": "control-0475-stmt", + "name": "statement", + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + } + ] + }, + { + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", + "parts": [ + { + "id": "control-0476-stmt", + "name": "statement", + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + } + ] + }, + { + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", + "parts": [ + { + "id": "control-0477-stmt", + "name": "statement", + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + } + ] + }, + { + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", + "parts": [ + { + "id": "control-0479-stmt", + "name": "statement", + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + } + ] + }, + { + "id": "control-1232", + "title": "Cryptographic algorithms for use with High Assurance Cryptographic Equipment", + "parts": [ + { + "id": "control-1232-stmt", + "name": "statement", + "prose": "AACAs used by HACE are implemented in an ASD approved configuration, with preference given to CNSA Suite algorithms and key sizes." + } + ] + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ + { + "id": "control-0457", + "title": "Encrypting data at rest", + "parts": [ + { + "id": "control-0457-stmt", + "name": "statement", + "prose": "Encryption software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data." + } + ] + }, + { + "id": "control-0460", + "title": "Encrypting data at rest", + "parts": [ + { + "id": "control-0460-stmt", + "name": "statement", + "prose": "HACE is used when encrypting media that contains SECRET or TOP SECRET data." + } + ] + }, + { + "id": "control-0459", + "title": "Encrypting data at rest", + "parts": [ + { + "id": "control-0459-stmt", + "name": "statement", + "prose": "Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest." + } + ] + }, + { + "id": "control-1080", + "title": "Encrypting highly sensitive data at rest", + "parts": [ + { + "id": "control-1080-stmt", + "name": "statement", + "prose": "In addition to any encryption already in place, an ASD Approved Cryptographic Algorithm (AACA) is used to encrypt AUSTEO and AGAO data when at rest on a system." + } + ] + }, + { + "id": "control-0455", + "title": "Data recovery", + "parts": [ + { + "id": "control-0455-stmt", + "name": "statement", + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + } + ] + }, + { + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", + "parts": [ + { + "id": "control-0462-stmt", + "name": "statement", + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted data, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + } + ] + }, + { + "id": "control-0465", + "title": "Encrypting data in transit", + "parts": [ + { + "id": "control-0465-stmt", + "name": "statement", + "prose": "Cryptographic equipment or encryption software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure." + } + ] + }, + { + "id": "control-0467", + "title": "Encrypting data in transit", + "parts": [ + { + "id": "control-0467-stmt", + "name": "statement", + "prose": "HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure." + } + ] + }, + { + "id": "control-0469", + "title": "Encrypting highly sensitive data in transit", + "parts": [ + { + "id": "control-0469-stmt", + "name": "statement", + "prose": "In addition to any encryption already in place, an ASD Approved Cryptographic Protocol (AACP) is used to protect AUSTEO and AGAO data when communicated across network infrastructure." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ + { + "id": "control-1239", + "title": "Web application frameworks", + "parts": [ + { + "id": "control-1239-stmt", + "name": "statement", + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + } + ] + }, + { + "id": "control-1552", + "title": "Web application interactions", + "parts": [ + { + "id": "control-1552-stmt", + "name": "statement", + "prose": "All web application content is offered exclusively using HTTPS." + } + ] + }, + { + "id": "control-1240", + "title": "Web application input handling", + "parts": [ + { + "id": "control-1240-stmt", + "name": "statement", + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + } + ] + }, + { + "id": "control-1241", + "title": "Web application output encoding", + "parts": [ + { + "id": "control-1241-stmt", + "name": "statement", + "prose": "Output encoding is performed on all output produced by a web application." + } + ] + }, + { + "id": "control-1424", + "title": "Web browser-based security controls", + "parts": [ + { + "id": "control-1424-stmt", + "name": "statement", + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + } + ] + }, + { + "id": "control-0971", + "title": "Open Web Application Security Project", + "parts": [ + { + "id": "control-0971-stmt", + "name": "statement", + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + }, + { + "id": "application_development", + "title": "Application development", + "controls": [ + { + "id": "control-0400", + "title": "Development environments", + "parts": [ + { + "id": "control-0400-stmt", + "name": "statement", + "prose": "Development, testing and production environments are segregated." + } + ] + }, + { + "id": "control-1419", + "title": "Development environments", + "parts": [ + { + "id": "control-1419-stmt", + "name": "statement", + "prose": "Development and modification of software only takes place in development environments." + } + ] + }, + { + "id": "control-1420", + "title": "Development environments", + "parts": [ + { + "id": "control-1420-stmt", + "name": "statement", + "prose": "Data in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + } + ] + }, + { + "id": "control-1422", + "title": "Development environments", + "parts": [ + { + "id": "control-1422-stmt", + "name": "statement", + "prose": "Unauthorised access to the authoritative source for software is prevented." + } + ] + }, + { + "id": "control-1238", + "title": "Secure software design", + "parts": [ + { + "id": "control-1238-stmt", + "name": "statement", + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + } + ] + }, + { + "id": "control-1730", + "title": "Software bill of materials", + "parts": [ + { + "id": "control-1730-stmt", + "name": "statement", + "prose": "A software bill of materials is produced and made available to consumers of software." + } + ] + }, + { + "id": "control-0401", + "title": "Secure programming practices", + "parts": [ + { + "id": "control-0401-stmt", + "name": "statement", + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + } + ] + }, + { + "id": "control-0402", + "title": "Software testing", + "parts": [ + { + "id": "control-0402-stmt", + "name": "statement", + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + } + ] + }, + { + "id": "control-1616", + "title": "Vulnerability disclosure program", + "parts": [ + { + "id": "control-1616-stmt", + "name": "statement", + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + } + ] + }, + { + "id": "control-1717", + "title": "Vulnerability disclosure program", + "parts": [ + { + "id": "control-1717-stmt", + "name": "statement", + "prose": "A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in organisations’ products and services." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ + { + "id": "cabling_infrastructure", + "title": "Cabling infrastructure", + "controls": [ + { + "id": "control-0181", + "title": "Cabling infrastructure standards", + "parts": [ + { + "id": "control-0181-stmt", + "name": "statement", + "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." + } + ] + }, + { + "id": "control-1111", + "title": "Use of fibre-optic cables", + "parts": [ + { + "id": "control-1111-stmt", + "name": "statement", + "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." + } + ] + }, + { + "id": "control-0211", + "title": "Cable register", + "parts": [ + { + "id": "control-0211-stmt", + "name": "statement", + "prose": "A cable register is maintained and regularly audited." + } + ] + }, + { + "id": "control-0208", + "title": "Cable register", + "parts": [ + { + "id": "control-0208-stmt", + "name": "statement", + "prose": "A cable register contains the following for each cable:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• location\n• seal numbers (if applicable)." + } + ] + }, + { + "id": "control-1645", + "title": "Floor plan diagrams", + "parts": [ + { + "id": "control-1645-stmt", + "name": "statement", + "prose": "Floor plan diagrams are maintained and regularly audited." + } + ] + }, + { + "id": "control-1646", + "title": "Floor plan diagrams", + "parts": [ + { + "id": "control-1646-stmt", + "name": "statement", + "prose": "Floor plan diagrams contain the following:\n• cable paths (including ingress and egress points between floors)\n• cable reticulation system and conduit paths\n• floor concentration boxes\n• wall outlet boxes\n• network cabinets." + } + ] + }, + { + "id": "control-0206", + "title": "Cable labelling processes and procedures", + "parts": [ + { + "id": "control-0206-stmt", + "name": "statement", + "prose": "Cable labelling processes, and supporting cable labelling procedures, are developed and implemented." + } + ] + }, + { + "id": "control-1096", + "title": "Labelling cables", + "parts": [ + { + "id": "control-1096-stmt", + "name": "statement", + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + } + ] + }, + { + "id": "control-1639", + "title": "Labelling building management cables", + "parts": [ + { + "id": "control-1639-stmt", + "name": "statement", + "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." + } + ] + }, + { + "id": "control-1640", + "title": "Labelling cables for foreign systems in Australian facilities", + "parts": [ + { + "id": "control-1640-stmt", + "name": "statement", + "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." + } + ] + }, + { + "id": "control-0926", + "title": "Cable colours", + "parts": [ + { + "id": "control-0926-stmt", + "name": "statement", + "prose": "OFFICIAL and PROTECTED cables are coloured neither salmon pink nor red." + } + ] + }, + { + "id": "control-1718", + "title": "Cable colours", + "parts": [ + { + "id": "control-1718-stmt", + "name": "statement", + "prose": "SECRET cables colours are coloured salmon pink." + } + ] + }, + { + "id": "control-1719", + "title": "Cable colours", + "parts": [ + { + "id": "control-1719-stmt", + "name": "statement", + "prose": "TOP SECRET cables colours are coloured red." + } + ] + }, + { + "id": "control-1216", + "title": "Cable colour non-conformance", + "parts": [ + { + "id": "control-1216-stmt", + "name": "statement", + "prose": "SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + } + ] + }, + { + "id": "control-1112", + "title": "Cable inspectability", + "parts": [ + { + "id": "control-1112-stmt", + "name": "statement", + "prose": "Cables are inspectable at a minimum of five-metre intervals." + } + ] + }, + { + "id": "control-1119", + "title": "Cable inspectability", + "parts": [ + { + "id": "control-1119-stmt", + "name": "statement", + "prose": "Cables in TOP SECRET areas are fully inspectable for their entire length." + } + ] + }, + { + "id": "control-0187", + "title": "Common cable reticulation systems and conduits", + "parts": [ + { + "id": "control-0187-stmt", + "name": "statement", + "prose": "SECRET and TOP SECRET systems belong exclusively to their own cable groups." + } + ] + }, + { + "id": "control-0189", + "title": "Common cable reticulation systems and conduits", + "parts": [ + { + "id": "control-0189-stmt", + "name": "statement", + "prose": "Cables only carry a single cable group, unless each cable group belongs to a different subunit." + } + ] + }, + { + "id": "control-1114", + "title": "Common cable reticulation systems and conduits", + "parts": [ + { + "id": "control-1114-stmt", + "name": "statement", + "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." + } + ] + }, + { + "id": "control-1130", + "title": "Enclosed cable reticulation systems", + "parts": [ + { + "id": "control-1130-stmt", + "name": "statement", + "prose": "In shared facilities, cables are run in an enclosed cable reticulation system." + } + ] + }, + { + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", + "parts": [ + { + "id": "control-1164-stmt", + "name": "statement", + "prose": "In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + } + ] + }, + { + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", + "parts": [ + { + "id": "control-0195-stmt", + "name": "statement", + "prose": "In shared facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems." + } + ] + }, + { + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", + "parts": [ + { + "id": "control-0194-stmt", + "name": "statement", + "prose": "In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts." + } + ] + }, + { + "id": "control-0201", + "title": "Labelling conduits", + "parts": [ + { + "id": "control-0201-stmt", + "name": "statement", + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." + } + ] + }, + { + "id": "control-1115", + "title": "Cables in walls", + "parts": [ + { + "id": "control-1115-stmt", + "name": "statement", + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + } + ] + }, + { + "id": "control-1133", + "title": "Cables in party walls", + "parts": [ + { + "id": "control-1133-stmt", + "name": "statement", + "prose": "In shared facilities, TOP SECRET cables are not run in party walls." + } + ] + }, + { + "id": "control-1122", + "title": "Wall penetrations", + "parts": [ + { + "id": "control-1122-stmt", + "name": "statement", + "prose": "Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound." + } + ] + }, + { + "id": "control-1104", + "title": "Wall outlet boxes", + "parts": [ + { + "id": "control-1104-stmt", + "name": "statement", + "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different systems." + } + ] + }, + { + "id": "control-1105", + "title": "Wall outlet boxes", + "parts": [ + { + "id": "control-1105-stmt", + "name": "statement", + "prose": "Different cables groups do not share a wall outlet box." + } + ] + }, + { + "id": "control-1095", + "title": "Labelling wall outlet boxes", + "parts": [ + { + "id": "control-1095-stmt", + "name": "statement", + "prose": "Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier." + } + ] + }, + { + "id": "control-1107", + "title": "Wall outlet box colours", + "parts": [ + { + "id": "control-1107-stmt", + "name": "statement", + "prose": "OFFICIAL and PROTECTED wall outlet boxes are coloured neither salmon pink nor red." + } + ] + }, + { + "id": "control-1720", + "title": "Wall outlet box colours", + "parts": [ + { + "id": "control-1720-stmt", + "name": "statement", + "prose": "SECRET wall outlet boxes are coloured salmon pink." + } + ] + }, + { + "id": "control-1721", + "title": "Wall outlet box colours", + "parts": [ + { + "id": "control-1721-stmt", + "name": "statement", + "prose": "TOP SECRET wall outlet boxes are coloured red." + } + ] + }, + { + "id": "control-1109", + "title": "Wall outlet box covers", + "parts": [ + { + "id": "control-1109-stmt", + "name": "statement", + "prose": "Wall outlet box covers are clear plastic." + } + ] + }, + { + "id": "control-0218", + "title": "Fly lead installation", + "parts": [ + { + "id": "control-0218-stmt", + "name": "statement", + "prose": "If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + } + ] + }, + { + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", + "parts": [ + { + "id": "control-1102-stmt", + "name": "statement", + "prose": "Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + } + ] + }, + { + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", + "parts": [ + { + "id": "control-1101-stmt", + "name": "statement", + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet." + } + ] + }, + { + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", + "parts": [ + { + "id": "control-1103-stmt", + "name": "statement", + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet." + } + ] + }, + { + "id": "control-1098", + "title": "Terminating cables in cabinets", + "parts": [ + { + "id": "control-1098-stmt", + "name": "statement", + "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." + } + ] + }, + { + "id": "control-1100", + "title": "Terminating cables in cabinets", + "parts": [ + { + "id": "control-1100-stmt", + "name": "statement", + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + } + ] + }, + { + "id": "control-0213", + "title": "Terminating cable groups on patch panels", + "parts": [ + { + "id": "control-0213-stmt", + "name": "statement", + "prose": "Different cable groups do not terminate on the same patch panel." + } + ] + }, + { + "id": "control-1116", + "title": "Physical separation of cabinets and patch panels", + "parts": [ + { + "id": "control-1116-stmt", + "name": "statement", + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + } + ] + }, + { + "id": "control-0216", + "title": "Physical separation of cabinets and patch panels", + "parts": [ + { + "id": "control-0216-stmt", + "name": "statement", + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + } + ] + }, + { + "id": "control-0217", + "title": "Physical separation of cabinets and patch panels", + "parts": [ + { + "id": "control-0217-stmt", + "name": "statement", + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + } + ] + }, + { + "id": "control-0198", + "title": "Audio secure rooms", + "parts": [ + { + "id": "control-0198-stmt", + "name": "statement", + "prose": "When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with." + } + ] + }, + { + "id": "control-1123", + "title": "Power reticulation", + "parts": [ + { + "id": "control-1123-stmt", + "name": "statement", + "prose": "A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + } + ] + } + ] + }, + { + "id": "emanation_security", + "title": "Emanation security", + "controls": [ + { + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", + "parts": [ + { + "id": "control-0248-stmt", + "name": "statement", + "prose": "System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment." + } + ] + }, + { + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", + "parts": [ + { + "id": "control-0247-stmt", + "name": "statement", + "prose": "System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment." + } + ] + }, + { + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", + "parts": [ + { + "id": "control-1137-stmt", + "name": "statement", + "prose": "System owners deploying SECRET or TOP SECRET systems in shared facilities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment." + } + ] + }, + { + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", + "parts": [ + { + "id": "control-0249-stmt", + "name": "statement", + "prose": "System owners deploying systems or military platforms overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment." + } + ] + }, + { + "id": "control-0246", + "title": "Early identification of emanation security controls", + "parts": [ + { + "id": "control-0246-stmt", + "name": "statement", + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + } + ] + }, + { + "id": "control-0250", + "title": "Electromagnetic interference/electromagnetic compatibility standards", + "parts": [ + { + "id": "control-0250-stmt", + "name": "statement", + "prose": "ICT equipment meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ + { + "id": "control-0039", + "title": "Cyber security strategy", + "parts": [ + { + "id": "control-0039-stmt", + "name": "statement", + "prose": "A cyber security strategy is developed and implemented for the organisation." + } + ] + }, + { + "id": "control-0047", + "title": "Approval of security documentation", + "parts": [ + { + "id": "control-0047-stmt", + "name": "statement", + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + } + ] + }, + { + "id": "control-0888", + "title": "Maintenance of security documentation", + "parts": [ + { + "id": "control-0888-stmt", + "name": "statement", + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + } + ] + }, + { + "id": "control-1602", + "title": "Communication of security documentation", + "parts": [ + { + "id": "control-1602-stmt", + "name": "statement", + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + } + ] + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ + { + "id": "control-0041", + "title": "System security plan", + "parts": [ + { + "id": "control-0041-stmt", + "name": "statement", + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both applicable security controls from this document and any additional security controls that have been identified." + } + ] + }, + { + "id": "control-0043", + "title": "Incident response plan", + "parts": [ + { + "id": "control-0043-stmt", + "name": "statement", + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of cyber security incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to an organisation and externally to relevant authorities\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Cyber Security Centre or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + } + ] + }, + { + "id": "control-1163", + "title": "Continuous monitoring plan", + "parts": [ + { + "id": "control-1163-stmt", + "name": "statement", + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact\n• using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost." + } + ] + }, + { + "id": "control-1563", + "title": "Security assessment report", + "parts": [ + { + "id": "control-1563-stmt", + "name": "statement", + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + } + ] + }, + { + "id": "control-1564", + "title": "Plan of action and milestones", + "parts": [ + { + "id": "control-1564-stmt", + "name": "statement", + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ + { + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", + "parts": [ + { + "id": "control-0626-stmt", + "name": "statement", + "prose": "When connecting a SECRET or TOP SECRET network to any other network from a different security domain, a CDS is implemented." + } + ] + }, + { + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", + "parts": [ + { + "id": "control-0597-stmt", + "name": "statement", + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + } + ] + }, + { + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", + "parts": [ + { + "id": "control-0627-stmt", + "name": "statement", + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + } + ] + }, + { + "id": "control-0635", + "title": "Separation of data flows", + "parts": [ + { + "id": "control-0635-stmt", + "name": "statement", + "prose": "A CDS implements isolated upward and downward network paths." + } + ] + }, + { + "id": "control-1521", + "title": "Separation of data flows", + "parts": [ + { + "id": "control-1521-stmt", + "name": "statement", + "prose": "A CDS implements protocol breaks at each layer of the OSI model." + } + ] + }, + { + "id": "control-1522", + "title": "Separation of data flows", + "parts": [ + { + "id": "control-1522-stmt", + "name": "statement", + "prose": "A CDS implements content filtering and separate independent security-enforcing components for upward and downward data flows." + } + ] + }, + { + "id": "control-0670", + "title": "Event logging", + "parts": [ + { + "id": "control-0670-stmt", + "name": "statement", + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + } + ] + }, + { + "id": "control-1523", + "title": "Event logging", + "parts": [ + { + "id": "control-1523-stmt", + "name": "statement", + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + } + ] + }, + { + "id": "control-0610", + "title": "User training", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + } + ] + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ + { + "id": "control-0659", + "title": "Content filtering", + "parts": [ + { + "id": "control-0659-stmt", + "name": "statement", + "prose": "When importing data into a security domain, the data is filtered by a content filter designed for that purpose." + } + ] + }, + { + "id": "control-1524", + "title": "Content filtering", + "parts": [ + { + "id": "control-1524-stmt", + "name": "statement", + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + } + ] + }, + { + "id": "control-0651", + "title": "Active, malicious and suspicious content", + "parts": [ + { + "id": "control-0651-stmt", + "name": "statement", + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + } + ] + }, + { + "id": "control-0652", + "title": "Active, malicious and suspicious content", + "parts": [ + { + "id": "control-0652-stmt", + "name": "statement", + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + } + ] + }, + { + "id": "control-1389", + "title": "Automated dynamic analysis", + "parts": [ + { + "id": "control-1389-stmt", + "name": "statement", + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + } + ] + }, + { + "id": "control-1284", + "title": "Content validation", + "parts": [ + { + "id": "control-1284-stmt", + "name": "statement", + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + } + ] + }, + { + "id": "control-1286", + "title": "Content conversion and transformation", + "parts": [ + { + "id": "control-1286-stmt", + "name": "statement", + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + } + ] + }, + { + "id": "control-1287", + "title": "Content sanitisation", + "parts": [ + { + "id": "control-1287-stmt", + "name": "statement", + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + } + ] + }, + { + "id": "control-1288", + "title": "Antivirus scanning", + "parts": [ + { + "id": "control-1288-stmt", + "name": "statement", + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + } + ] + }, + { + "id": "control-1289", + "title": "Archive and container files", + "parts": [ + { + "id": "control-1289-stmt", + "name": "statement", + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + } + ] + }, + { + "id": "control-1290", + "title": "Archive and container files", + "parts": [ + { + "id": "control-1290-stmt", + "name": "statement", + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + } + ] + }, + { + "id": "control-1291", + "title": "Archive and container files", + "parts": [ + { + "id": "control-1291-stmt", + "name": "statement", + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + } + ] + }, + { + "id": "control-0649", + "title": "Allowing access to specific content types", + "parts": [ + { + "id": "control-0649-stmt", + "name": "statement", + "prose": "A list of allowed content types is implemented." + } + ] + }, + { + "id": "control-1292", + "title": "Data integrity", + "parts": [ + { + "id": "control-1292-stmt", + "name": "statement", + "prose": "The integrity of content is verified where applicable and blocked if verification fails." + } + ] + }, + { + "id": "control-0677", + "title": "Data integrity", + "parts": [ + { + "id": "control-0677-stmt", + "name": "statement", + "prose": "If data is signed, the signature is validated before the data is exported." + } + ] + }, + { + "id": "control-1293", + "title": "Encrypted data", + "parts": [ + { + "id": "control-1293-stmt", + "name": "statement", + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + } + ] + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ + { + "id": "control-0258", + "title": "Web usage policy", + "parts": [ + { + "id": "control-0258-stmt", + "name": "statement", + "prose": "A web usage policy is developed and implemented." + } + ] + }, + { + "id": "control-0260", + "title": "Using web proxies", + "parts": [ + { + "id": "control-0260-stmt", + "name": "statement", + "prose": "All web access, including that by internal servers, is conducted through a web proxy." + } + ] + }, + { + "id": "control-0261", + "title": "Web proxy authentication and logging", + "parts": [ + { + "id": "control-0261-stmt", + "name": "statement", + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + } + ] + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ + { + "id": "control-0591", + "title": "Using peripheral switches", + "parts": [ + { + "id": "control-0591-stmt", + "name": "statement", + "prose": "An evaluated peripheral switch is used when sharing peripherals between systems." + } + ] + }, + { + "id": "control-1457", + "title": "Using peripheral switches", + "parts": [ + { + "id": "control-1457-stmt", + "name": "statement", + "prose": "An evaluated peripheral switch used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably completes a high assurance evaluation." + } + ] + }, + { + "id": "control-1480", + "title": "Using peripheral switches", + "parts": [ + { + "id": "control-1480-stmt", + "name": "statement", + "prose": "An evaluated peripheral switch used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems completes a high assurance evaluation." + } + ] + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ + { + "id": "control-0628", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-0628-stmt", + "name": "statement", + "prose": "All systems are protected from systems in other security domains by one or more gateways." + } + ] + }, + { + "id": "control-1192", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-1192-stmt", + "name": "statement", + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + } + ] + }, + { + "id": "control-0631", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-0631-stmt", + "name": "statement", + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + } + ] + }, + { + "id": "control-1427", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-1427-stmt", + "name": "statement", + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + } + ] + }, + { + "id": "control-0634", + "title": "Gateway operation", + "parts": [ + { + "id": "control-0634-stmt", + "name": "statement", + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + } + ] + }, + { + "id": "control-0637", + "title": "Demilitarised zones", + "parts": [ + { + "id": "control-0637-stmt", + "name": "statement", + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + } + ] + }, + { + "id": "control-1037", + "title": "Gateway testing", + "parts": [ + { + "id": "control-1037-stmt", + "name": "statement", + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + } + ] + }, + { + "id": "control-0611", + "title": "Gateway administration", + "parts": [ + { + "id": "control-0611-stmt", + "name": "statement", + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + } + ] + }, + { + "id": "control-0612", + "title": "Gateway administration", + "parts": [ + { + "id": "control-0612-stmt", + "name": "statement", + "prose": "System administrators are formally trained to manage gateways." + } + ] + }, + { + "id": "control-1520", + "title": "Gateway administration", + "parts": [ + { + "id": "control-1520-stmt", + "name": "statement", + "prose": "All system administrators of gateways are cleared to access the highest level of data communicated or processed by the gateway." + } + ] + }, + { + "id": "control-0613", + "title": "Gateway administration", + "parts": [ + { + "id": "control-0613-stmt", + "name": "statement", + "prose": "All system administrators of gateways that process Australian Eyes Only or Australian Government Access Only data are Australian nationals." + } + ] + }, + { + "id": "control-0616", + "title": "Gateway administration", + "parts": [ + { + "id": "control-0616-stmt", + "name": "statement", + "prose": "Roles for the administration of gateways are separated." + } + ] + }, + { + "id": "control-0629", + "title": "Gateway administration", + "parts": [ + { + "id": "control-0629-stmt", + "name": "statement", + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + } + ] + }, + { + "id": "control-0607", + "title": "Shared ownership of gateways", + "parts": [ + { + "id": "control-0607-stmt", + "name": "statement", + "prose": "Once connectivity is established, system owners become stakeholders for all connected security domains." + } + ] + }, + { + "id": "control-0619", + "title": "Gateway authentication", + "parts": [ + { + "id": "control-0619-stmt", + "name": "statement", + "prose": "Users and services accessing networks through gateways are authenticated." + } + ] + }, + { + "id": "control-0620", + "title": "Gateway authentication", + "parts": [ + { + "id": "control-0620-stmt", + "name": "statement", + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + } + ] + }, + { + "id": "control-1039", + "title": "Gateway authentication", + "parts": [ + { + "id": "control-1039-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used for access to gateways." + } + ] + }, + { + "id": "control-0622", + "title": "ICT equipment authentication", + "parts": [ + { + "id": "control-0622-stmt", + "name": "statement", + "prose": "ICT equipment accessing networks through gateways is authenticated." + } + ] + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ + { + "id": "control-0963", + "title": "Using web content filters", + "parts": [ + { + "id": "control-0963-stmt", + "name": "statement", + "prose": "A web content filter is used to filter potentially harmful web-based content." + } + ] + }, + { + "id": "control-0961", + "title": "Using web content filters", + "parts": [ + { + "id": "control-0961-stmt", + "name": "statement", + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + } + ] + }, + { + "id": "control-1237", + "title": "Using web content filters", + "parts": [ + { + "id": "control-1237-stmt", + "name": "statement", + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + } + ] + }, + { + "id": "control-0263", + "title": "Transport Layer Security filtering", + "parts": [ + { + "id": "control-0263-stmt", + "name": "statement", + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + } + ] + }, + { + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", + "parts": [ + { + "id": "control-0996-stmt", + "name": "statement", + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + } + ] + }, + { + "id": "control-0958", + "title": "Allowing access to specific websites", + "parts": [ + { + "id": "control-0958-stmt", + "name": "statement", + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through internet gateways." + } + ] + }, + { + "id": "control-1170", + "title": "Allowing access to specific websites", + "parts": [ + { + "id": "control-1170-stmt", + "name": "statement", + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + } + ] + }, + { + "id": "control-0959", + "title": "Blocking access to specific websites", + "parts": [ + { + "id": "control-0959-stmt", + "name": "statement", + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + } + ] + }, + { + "id": "control-0960", + "title": "Blocking access to specific websites", + "parts": [ + { + "id": "control-0960-stmt", + "name": "statement", + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + } + ] + }, + { + "id": "control-1171", + "title": "Blocking access to specific websites", + "parts": [ + { + "id": "control-1171-stmt", + "name": "statement", + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + } + ] + }, + { + "id": "control-1236", + "title": "Blocking access to specific websites", + "parts": [ + { + "id": "control-1236-stmt", + "name": "statement", + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + } + ] + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ + { + "id": "control-0643", + "title": "Using diodes", + "parts": [ + { + "id": "control-0643-stmt", + "name": "statement", + "prose": "An evaluated diode is used for controlling the data flow of a unidirectional gateway between an organisation’s network and public network infrastructure." + } + ] + }, + { + "id": "control-0645", + "title": "Using diodes", + "parts": [ + { + "id": "control-0645-stmt", + "name": "statement", + "prose": "An evaluated diode used for controlling the data flow of a unidirectional gateway between a SECRET or TOP SECRET network and public network infrastructure completes a high assurance evaluation." + } + ] + }, + { + "id": "control-1157", + "title": "Using diodes", + "parts": [ + { + "id": "control-1157-stmt", + "name": "statement", + "prose": "An evaluated diode is used for controlling the data flow of a unidirectional gateway between networks." + } + ] + }, + { + "id": "control-1158", + "title": "Using diodes", + "parts": [ + { + "id": "control-1158-stmt", + "name": "statement", + "prose": "An evaluated diode used for controlling the data flow of a unidirectional gateway between a SECRET or TOP SECRET network and any other network completes a high assurance evaluation." + } + ] + }, + { + "id": "control-0648", + "title": "Volume checking", + "parts": [ + { + "id": "control-0648-stmt", + "name": "statement", + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + } + ] + } + ] + }, + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ + { + "id": "control-1528", + "title": "Using firewalls", + "parts": [ + { + "id": "control-1528-stmt", + "name": "statement", + "prose": "An evaluated firewall is used between organisations’ networks and public network infrastructure." + } + ] + }, + { + "id": "control-0639", + "title": "Using firewalls", + "parts": [ + { + "id": "control-0639-stmt", + "name": "statement", + "prose": "An evaluated firewall is used between networks belonging to different security domains." + } + ] + }, + { + "id": "control-1194", + "title": "Using firewalls", + "parts": [ + { + "id": "control-1194-stmt", + "name": "statement", + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_usage", + "title": "Evaluated product usage", + "controls": [ + { + "id": "control-0289", + "title": "Installation and configuration of evaluated products", + "parts": [ + { + "id": "control-0289-stmt", + "name": "statement", + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + } + ] + }, + { + "id": "control-0290", + "title": "Installation and configuration of evaluated products", + "parts": [ + { + "id": "control-0290-stmt", + "name": "statement", + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + } + ] + }, + { + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", + "parts": [ + { + "id": "control-0292-stmt", + "name": "statement", + "prose": "High assurance ICT equipment is always operated in an evaluated configuration." + } + ] + } + ] + }, + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ + { + "id": "control-0280", + "title": "Evaluated product selection", + "parts": [ + { + "id": "control-0280-stmt", + "name": "statement", + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + } + ] + }, + { + "id": "control-0285", + "title": "Delivery of evaluated products", + "parts": [ + { + "id": "control-0285-stmt", + "name": "statement", + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + } + ] + }, + { + "id": "control-0286", + "title": "Delivery of evaluated products", + "parts": [ + { + "id": "control-0286-stmt", + "name": "statement", + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ + { + "id": "control-0810", + "title": "Physical access to systems", + "parts": [ + { + "id": "control-0810-stmt", + "name": "statement", + "prose": "Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification." + } + ] + }, + { + "id": "control-1053", + "title": "Physical access to servers, network devices and cryptographic equipment", + "parts": [ + { + "id": "control-1053-stmt", + "name": "statement", + "prose": "Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their sensitivity or classification." + } + ] + }, + { + "id": "control-1530", + "title": "Physical access to servers, network devices and cryptographic equipment", + "parts": [ + { + "id": "control-1530-stmt", + "name": "statement", + "prose": "Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in." + } + ] + }, + { + "id": "control-0813", + "title": "Physical access to servers, network devices and cryptographic equipment", + "parts": [ + { + "id": "control-0813-stmt", + "name": "statement", + "prose": "Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states." + } + ] + }, + { + "id": "control-1074", + "title": "Physical access to servers, network devices and cryptographic equipment", + "parts": [ + { + "id": "control-1074-stmt", + "name": "statement", + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled." + } + ] + }, + { + "id": "control-1296", + "title": "Physical access to network devices in public areas", + "parts": [ + { + "id": "control-1296-stmt", + "name": "statement", + "prose": "Physical security controls are implemented to protect network devices in public areas from physical damage or unauthorised access." + } + ] + }, + { + "id": "control-1543", + "title": "Bringing Radio Frequency and infrared devices into facilities", + "parts": [ + { + "id": "control-1543-stmt", + "name": "statement", + "prose": "An authorised RF and IR device register is maintained and regularly audited for SECRET and TOP SECRET areas." + } + ] + }, + { + "id": "control-0225", + "title": "Bringing Radio Frequency and infrared devices into facilities", + "parts": [ + { + "id": "control-0225-stmt", + "name": "statement", + "prose": "Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas." + } + ] + }, + { + "id": "control-0829", + "title": "Bringing Radio Frequency and infrared devices into facilities", + "parts": [ + { + "id": "control-0829-stmt", + "name": "statement", + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + } + ] + }, + { + "id": "control-0164", + "title": "Preventing observation by unauthorised people", + "parts": [ + { + "id": "control-0164-stmt", + "name": "statement", + "prose": "Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities." + } + ] + } + ] + }, + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0161", + "title": "Securing ICT equipment and media", + "parts": [ + { + "id": "control-0161-stmt", + "name": "statement", + "prose": "ICT equipment and media are secured when not in use." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ + { + "id": "control-0252", + "title": "Providing cyber security awareness training", + "parts": [ + { + "id": "control-0252-stmt", + "name": "statement", + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + } + ] + }, + { + "id": "control-1565", + "title": "Providing cyber security awareness training", + "parts": [ + { + "id": "control-1565-stmt", + "name": "statement", + "prose": "Tailored privileged user training is undertaken annually by all privileged users." + } + ] + }, + { + "id": "control-0817", + "title": "Reporting suspicious contact via online services", + "parts": [ + { + "id": "control-0817-stmt", + "name": "statement", + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + } + ] + }, + { + "id": "control-0820", + "title": "Posting work information to online services", + "parts": [ + { + "id": "control-0820-stmt", + "name": "statement", + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + } + ] + }, + { + "id": "control-1146", + "title": "Posting work information to online services", + "parts": [ + { + "id": "control-1146-stmt", + "name": "statement", + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + } + ] + }, + { + "id": "control-0821", + "title": "Posting personal information to online services", + "parts": [ + { + "id": "control-0821-stmt", + "name": "statement", + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + } + ] + }, + { + "id": "control-0824", + "title": "Sending and receiving files via online services", + "parts": [ + { + "id": "control-0824-stmt", + "name": "statement", + "prose": "Personnel are advised not to send or receive files via unauthorised online services." + } + ] + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ + { + "id": "control-0432", + "title": "System access requirements", + "parts": [ + { + "id": "control-0432-stmt", + "name": "statement", + "prose": "Access requirements for a system and its resources are documented in its system security plan." + } + ] + }, + { + "id": "control-0434", + "title": "System access requirements", + "parts": [ + { + "id": "control-0434-stmt", + "name": "statement", + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + } + ] + }, + { + "id": "control-0435", + "title": "System access requirements", + "parts": [ + { + "id": "control-0435-stmt", + "name": "statement", + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + } + ] + }, + { + "id": "control-0414", + "title": "User identification", + "parts": [ + { + "id": "control-0414-stmt", + "name": "statement", + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + } + ] + }, + { + "id": "control-0415", + "title": "User identification", + "parts": [ + { + "id": "control-0415-stmt", + "name": "statement", + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + } + ] + }, + { + "id": "control-1583", + "title": "User identification", + "parts": [ + { + "id": "control-1583-stmt", + "name": "statement", + "prose": "Personnel who are contractors are identified as such." + } + ] + }, + { + "id": "control-0420", + "title": "User identification", + "parts": [ + { + "id": "control-0420-stmt", + "name": "statement", + "prose": "Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality." + } + ] + }, + { + "id": "control-0405", + "title": "Unprivileged access to systems", + "parts": [ + { + "id": "control-0405-stmt", + "name": "statement", + "prose": "Requests for unprivileged access to systems, applications and data repositories are validated when first requested." + } + ] + }, + { + "id": "control-1566", + "title": "Unprivileged access to systems", + "parts": [ + { + "id": "control-1566-stmt", + "name": "statement", + "prose": "Use of unprivileged access is logged." + } + ] + }, + { + "id": "control-1714", + "title": "Unprivileged access to systems", + "parts": [ + { + "id": "control-1714-stmt", + "name": "statement", + "prose": "Unprivileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-0409", + "title": "Unprivileged access to systems by foreign nationals", + "parts": [ + { + "id": "control-0409-stmt", + "name": "statement", + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective security controls are in place to ensure such data is not accessible to them." + } + ] + }, + { + "id": "control-0411", + "title": "Unprivileged access to systems by foreign nationals", + "parts": [ + { + "id": "control-0411-stmt", + "name": "statement", + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective security controls are in place to ensure such data is not accessible to them." + } + ] + }, + { + "id": "control-1507", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1507-stmt", + "name": "statement", + "prose": "Requests for privileged access to systems and applications are validated when first requested." + } + ] + }, + { + "id": "control-1733", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1733-stmt", + "name": "statement", + "prose": "Requests for privileged access to data repositories are validated when first requested." + } + ] + }, + { + "id": "control-1508", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1508-stmt", + "name": "statement", + "prose": "Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties." + } + ] + }, + { + "id": "control-1175", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1175-stmt", + "name": "statement", + "prose": "Privileged user accounts are prevented from accessing the internet, email and web services." + } + ] + }, + { + "id": "control-1653", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1653-stmt", + "name": "statement", + "prose": "Privileged service accounts are prevented from accessing the internet, email and web services." + } + ] + }, + { + "id": "control-1649", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1649-stmt", + "name": "statement", + "prose": "Just-in-time administration is used for administering systems and applications." + } + ] + }, + { + "id": "control-0445", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-0445-stmt", + "name": "statement", + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + } + ] + }, + { + "id": "control-1509", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1509-stmt", + "name": "statement", + "prose": "Use of privileged access is logged." + } + ] + }, + { + "id": "control-1650", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1650-stmt", + "name": "statement", + "prose": "Changes to privileged accounts and groups are logged." + } + ] + }, + { + "id": "control-1651", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1651-stmt", + "name": "statement", + "prose": "Privileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-1652", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1652-stmt", + "name": "statement", + "prose": "Privileged account and group change event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", + "parts": [ + { + "id": "control-0446-stmt", + "name": "statement", + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data." + } + ] + }, + { + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", + "parts": [ + { + "id": "control-0447-stmt", + "name": "statement", + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data." + } + ] + }, + { + "id": "control-0430", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-0430-stmt", + "name": "statement", + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + } + ] + }, + { + "id": "control-1591", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-1591-stmt", + "name": "statement", + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + } + ] + }, + { + "id": "control-1404", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-1404-stmt", + "name": "statement", + "prose": "Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity." + } + ] + }, + { + "id": "control-1648", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-1648-stmt", + "name": "statement", + "prose": "Privileged access to systems and applications is automatically disabled after 45 days of inactivity." + } + ] + }, + { + "id": "control-1716", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-1716-stmt", + "name": "statement", + "prose": "Access to data repositories is automatically disabled after 45 days of inactivity." + } + ] + }, + { + "id": "control-1647", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-1647-stmt", + "name": "statement", + "prose": "Privileged access to systems and applications is automatically disabled after 12 months unless revalidated." + } + ] + }, + { + "id": "control-1734", + "title": "Suspension of access to systems", + "parts": [ + { + "id": "control-1734-stmt", + "name": "statement", + "prose": "Privileged access to data repositories is automatically disabled after 12 months unless revalidated." + } + ] + }, + { + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", + "parts": [ + { + "id": "control-0407-stmt", + "name": "statement", + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + } + ] + }, + { + "id": "control-0441", + "title": "Temporary access to systems", + "parts": [ + { + "id": "control-0441-stmt", + "name": "statement", + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only data required for them to undertake their duties." + } + ] + }, + { + "id": "control-0443", + "title": "Temporary access to systems", + "parts": [ + { + "id": "control-0443-stmt", + "name": "statement", + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + } + ] + }, + { + "id": "control-1610", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1610-stmt", + "name": "statement", + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + } + ] + }, + { + "id": "control-1611", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1611-stmt", + "name": "statement", + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + } + ] + }, + { + "id": "control-1612", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1612-stmt", + "name": "statement", + "prose": "Break glass accounts are only used for specific authorised activities." + } + ] + }, + { + "id": "control-1613", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1613-stmt", + "name": "statement", + "prose": "Use of break glass accounts is logged." + } + ] + }, + { + "id": "control-1715", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1715-stmt", + "name": "statement", + "prose": "Break glass event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-1614", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1614-stmt", + "name": "statement", + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + } + ] + }, + { + "id": "control-1615", + "title": "Emergency access to systems", + "parts": [ + { + "id": "control-1615-stmt", + "name": "statement", + "prose": "Break glass accounts are tested after credentials are changed." + } + ] + }, + { + "id": "control-0078", + "title": "Control of Australian systems", + "parts": [ + { + "id": "control-0078-stmt", + "name": "statement", + "prose": "Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + } + ] + }, + { + "id": "control-0854", + "title": "Control of Australian systems", + "parts": [ + { + "id": "control-0854-stmt", + "name": "statement", + "prose": "AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ + { + "id": "control-1631", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1631-stmt", + "name": "statement", + "prose": "Components and services relevant to the security of systems are identified and understood." + } + ] + }, + { + "id": "control-1452", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1452-stmt", + "name": "statement", + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + } + ] + }, + { + "id": "control-1567", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1567-stmt", + "name": "statement", + "prose": "Suppliers and service providers identified as high risk are not used." + } + ] + }, + { + "id": "control-1568", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1568-stmt", + "name": "statement", + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + } + ] + }, + { + "id": "control-1632", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1632-stmt", + "name": "statement", + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + } + ] + }, + { + "id": "control-1569", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1569-stmt", + "name": "statement", + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + } + ] + }, + { + "id": "control-1637", + "title": "Outsourced cloud services", + "parts": [ + { + "id": "control-1637-stmt", + "name": "statement", + "prose": "An outsourced cloud services register is maintained and regularly audited." + } + ] + }, + { + "id": "control-1638", + "title": "Outsourced cloud services", + "parts": [ + { + "id": "control-1638-stmt", + "name": "statement", + "prose": "An outsourced cloud services register contains the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of data involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." + } + ] + }, + { + "id": "control-1570", + "title": "Outsourced cloud services", + "parts": [ + { + "id": "control-1570-stmt", + "name": "statement", + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + } + ] + }, + { + "id": "control-1529", + "title": "Outsourced cloud services", + "parts": [ + { + "id": "control-1529-stmt", + "name": "statement", + "prose": "Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services." + } + ] + }, + { + "id": "control-1395", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1395-stmt", + "name": "statement", + "prose": "Service providers provide an appropriate level of protection for any data entrusted to them or their services." + } + ] + }, + { + "id": "control-0072", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-0072-stmt", + "name": "statement", + "prose": "Security requirements associated with the confidentiality, integrity and availability of data entrusted to a service provider are documented in contractual arrangements." + } + ] + }, + { + "id": "control-1571", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1571-stmt", + "name": "statement", + "prose": "The right to audit security controls associated with the protection of data and services is specified in contractual arrangements." + } + ] + }, + { + "id": "control-1451", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1451-stmt", + "name": "statement", + "prose": "Types of data and its ownership is documented in contractual arrangements." + } + ] + }, + { + "id": "control-1572", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1572-stmt", + "name": "statement", + "prose": "The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements." + } + ] + }, + { + "id": "control-1573", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1573-stmt", + "name": "statement", + "prose": "Access to all logs relating to an organisation’s data and services are specified in contractual arrangements." + } + ] + }, + { + "id": "control-1574", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1574-stmt", + "name": "statement", + "prose": "Data entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of data." + } + ] + }, + { + "id": "control-1575", + "title": "Contractual security requirements", + "parts": [ + { + "id": "control-1575-stmt", + "name": "statement", + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + } + ] + }, + { + "id": "control-1073", + "title": "Access to systems and data by service providers", + "parts": [ + { + "id": "control-1073-stmt", + "name": "statement", + "prose": "An organisation’s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + } + ] + }, + { + "id": "control-1576", + "title": "Access to systems and data by service providers", + "parts": [ + { + "id": "control-1576-stmt", + "name": "statement", + "prose": "If an organisation’s systems or data are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "databases", + "title": "Databases", + "controls": [ + { + "id": "control-1243", + "title": "Database register", + "parts": [ + { + "id": "control-1243-stmt", + "name": "statement", + "prose": "A database register is maintained and regularly audited." + } + ] + }, + { + "id": "control-1256", + "title": "Protecting databases", + "parts": [ + { + "id": "control-1256-stmt", + "name": "statement", + "prose": "File-based access controls are applied to database files." + } + ] + }, + { + "id": "control-1252", + "title": "Protecting authentication credentials in databases", + "parts": [ + { + "id": "control-1252-stmt", + "name": "statement", + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + } + ] + }, + { + "id": "control-0393", + "title": "Protecting database contents", + "parts": [ + { + "id": "control-0393-stmt", + "name": "statement", + "prose": "Databases and their contents are classified based on the sensitivity or classification of data that they contain." + } + ] + }, + { + "id": "control-1255", + "title": "Protecting database contents", + "parts": [ + { + "id": "control-1255-stmt", + "name": "statement", + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + } + ] + }, + { + "id": "control-1268", + "title": "Protecting database contents", + "parts": [ + { + "id": "control-1268-stmt", + "name": "statement", + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + } + ] + }, + { + "id": "control-1258", + "title": "Aggregation of database contents", + "parts": [ + { + "id": "control-1258-stmt", + "name": "statement", + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of data from within databases could lead to a database user determining more sensitive or classified data, database views in combination with database user access roles are implemented." + } + ] + }, + { + "id": "control-1274", + "title": "Separation of production, test and development databases", + "parts": [ + { + "id": "control-1274-stmt", + "name": "statement", + "prose": "Data in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + } + ] + }, + { + "id": "control-1275", + "title": "Web application interaction with databases", + "parts": [ + { + "id": "control-1275-stmt", + "name": "statement", + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + } + ] + }, + { + "id": "control-1276", + "title": "Web application interaction with databases", + "parts": [ + { + "id": "control-1276-stmt", + "name": "statement", + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + } + ] + }, + { + "id": "control-1278", + "title": "Web application interaction with databases", + "parts": [ + { + "id": "control-1278-stmt", + "name": "statement", + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + } + ] + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ + { + "id": "control-1245", + "title": "Temporary installation files and logs", + "parts": [ + { + "id": "control-1245-stmt", + "name": "statement", + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + } + ] + }, + { + "id": "control-1246", + "title": "Hardening and configuration", + "parts": [ + { + "id": "control-1246-stmt", + "name": "statement", + "prose": "DBMS software is configured according to vendor guidance." + } + ] + }, + { + "id": "control-1247", + "title": "Hardening and configuration", + "parts": [ + { + "id": "control-1247-stmt", + "name": "statement", + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + } + ] + }, + { + "id": "control-1249", + "title": "Restricting privileges", + "parts": [ + { + "id": "control-1249-stmt", + "name": "statement", + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + } + ] + }, + { + "id": "control-1250", + "title": "Restricting privileges", + "parts": [ + { + "id": "control-1250-stmt", + "name": "statement", + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + } + ] + }, + { + "id": "control-1251", + "title": "Restricting privileges", + "parts": [ + { + "id": "control-1251-stmt", + "name": "statement", + "prose": "The ability of DBMS software to read local files from a server is disabled." + } + ] + }, + { + "id": "control-1260", + "title": "Database administrator accounts", + "parts": [ + { + "id": "control-1260-stmt", + "name": "statement", + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + } + ] + }, + { + "id": "control-1262", + "title": "Database administrator accounts", + "parts": [ + { + "id": "control-1262-stmt", + "name": "statement", + "prose": "Database administrators have unique and identifiable accounts." + } + ] + }, + { + "id": "control-1261", + "title": "Database administrator accounts", + "parts": [ + { + "id": "control-1261-stmt", + "name": "statement", + "prose": "Database administrator accounts are not shared across different databases." + } + ] + }, + { + "id": "control-1263", + "title": "Database administrator accounts", + "parts": [ + { + "id": "control-1263-stmt", + "name": "statement", + "prose": "Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases." + } + ] + }, + { + "id": "control-1264", + "title": "Database administrator accounts", + "parts": [ + { + "id": "control-1264-stmt", + "name": "statement", + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + } + ] + } + ] + }, + { + "id": "database_servers", + "title": "Database servers", + "controls": [ + { + "id": "control-1425", + "title": "Protecting database server contents", + "parts": [ + { + "id": "control-1425-stmt", + "name": "statement", + "prose": "Hard disks of database servers are encrypted using full disk encryption." + } + ] + }, + { + "id": "control-1269", + "title": "Functional separation between database servers and web servers", + "parts": [ + { + "id": "control-1269-stmt", + "name": "statement", + "prose": "Database servers and web servers are functionally separated, physically or virtually." + } + ] + }, + { + "id": "control-1277", + "title": "Communications between database servers and web servers", + "parts": [ + { + "id": "control-1277-stmt", + "name": "statement", + "prose": "Data communicated between database servers and web applications is encrypted." + } + ] + }, + { + "id": "control-1270", + "title": "Network environment", + "parts": [ + { + "id": "control-1270-stmt", + "name": "statement", + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + } + ] + }, + { + "id": "control-1271", + "title": "Network environment", + "parts": [ + { + "id": "control-1271-stmt", + "name": "statement", + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + } + ] + }, + { + "id": "control-1272", + "title": "Network environment", + "parts": [ + { + "id": "control-1272-stmt", + "name": "statement", + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + } + ] + }, + { + "id": "control-1273", + "title": "Separation of production, test and development database servers", + "parts": [ + { + "id": "control-1273-stmt", + "name": "statement", + "prose": "Test and development environments do not use the same database servers as production environments." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ + { + "id": "control-0576", + "title": "Intrusion detection and prevention policy", + "parts": [ + { + "id": "control-0576-stmt", + "name": "statement", + "prose": "An intrusion detection and prevention policy is developed and implemented." + } + ] + }, + { + "id": "control-1625", + "title": "Trusted insider program", + "parts": [ + { + "id": "control-1625-stmt", + "name": "statement", + "prose": "A trusted insider program is developed and implemented." + } + ] + }, + { + "id": "control-1626", + "title": "Trusted insider program", + "parts": [ + { + "id": "control-1626-stmt", + "name": "statement", + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + } + ] + }, + { + "id": "control-0120", + "title": "Access to sufficient data sources and tools", + "parts": [ + { + "id": "control-0120-stmt", + "name": "statement", + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + } + ] + } + ] + }, + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0123-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + } + ] + }, + { + "id": "control-0141", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0141-stmt", + "name": "statement", + "prose": "Service providers report cyber security incidents to their customer’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + } + ] + }, + { + "id": "control-1433", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-1433-stmt", + "name": "statement", + "prose": "Service providers and their customers maintain 24/7 contact details for each other, including additional out-of-band contact details for when normal communication channels fail, in order to report cyber security incidents." + } + ] + }, + { + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", + "parts": [ + { + "id": "control-0140-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to the ACSC." + } + ] + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ + { + "id": "control-0125", + "title": "Cyber security incident register", + "parts": [ + { + "id": "control-0125-stmt", + "name": "statement", + "prose": "A cyber security incident register is maintained that covers the following:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + } + ] + }, + { + "id": "control-0133", + "title": "Handling and containing data spills", + "parts": [ + { + "id": "control-0133-stmt", + "name": "statement", + "prose": "When a data spill occurs, data owners are advised and access to the data is restricted." + } + ] + }, + { + "id": "control-0917", + "title": "Handling and containing malicious code infections", + "parts": [ + { + "id": "control-0917-stmt", + "name": "statement", + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + } + ] + }, + { + "id": "control-0137", + "title": "Handling and containing intrusions", + "parts": [ + { + "id": "control-0137-stmt", + "name": "statement", + "prose": "Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence." + } + ] + }, + { + "id": "control-1609", + "title": "Handling and containing intrusions", + "parts": [ + { + "id": "control-1609-stmt", + "name": "statement", + "prose": "System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence." + } + ] + }, + { + "id": "control-1731", + "title": "Handling and containing intrusions", + "parts": [ + { + "id": "control-1731-stmt", + "name": "statement", + "prose": "Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised." + } + ] + }, + { + "id": "control-1732", + "title": "Handling and containing intrusions", + "parts": [ + { + "id": "control-1732-stmt", + "name": "statement", + "prose": "To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage." + } + ] + }, + { + "id": "control-1213", + "title": "Handling and containing intrusions", + "parts": [ + { + "id": "control-1213-stmt", + "name": "statement", + "prose": "Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether the adversary has been successfully removed from the system." + } + ] + }, + { + "id": "control-0138", + "title": "Integrity of evidence", + "parts": [ + { + "id": "control-0138-stmt", + "name": "statement", + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ + { + "id": "control-1437", + "title": "Cloud-based hosting of online services", + "parts": [ + { + "id": "control-1437-stmt", + "name": "statement", + "prose": "A cloud service provider is used for hosting online services." + } + ] + }, + { + "id": "control-1578", + "title": "Location policies for online services", + "parts": [ + { + "id": "control-1578-stmt", + "name": "statement", + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones for online services." + } + ] + }, + { + "id": "control-1579", + "title": "Availability planning and monitoring for online services", + "parts": [ + { + "id": "control-1579-stmt", + "name": "statement", + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes for online services." + } + ] + }, + { + "id": "control-1580", + "title": "Availability planning and monitoring for online services", + "parts": [ + { + "id": "control-1580-stmt", + "name": "statement", + "prose": "Where a high availability requirement exists for online services, the services are architected to automatically transition between availability zones." + } + ] + }, + { + "id": "control-1441", + "title": "Availability planning and monitoring for online services", + "parts": [ + { + "id": "control-1441-stmt", + "name": "statement", + "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + } + ] + }, + { + "id": "control-1581", + "title": "Availability planning and monitoring for online services", + "parts": [ + { + "id": "control-1581-stmt", + "name": "statement", + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + } + ] + }, + { + "id": "control-1438", + "title": "Using content delivery networks", + "parts": [ + { + "id": "control-1438-stmt", + "name": "statement", + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + } + ] + }, + { + "id": "control-1439", + "title": "Using content delivery networks", + "parts": [ + { + "id": "control-1439-stmt", + "name": "statement", + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + } + ] + }, + { + "id": "control-1431", + "title": "Denial of service strategies", + "parts": [ + { + "id": "control-1431-stmt", + "name": "statement", + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + } + ] + }, + { + "id": "control-1458", + "title": "Denial of service strategies", + "parts": [ + { + "id": "control-1458-stmt", + "name": "statement", + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + } + ] + }, + { + "id": "control-1432", + "title": "Domain name registrar locking", + "parts": [ + { + "id": "control-1432-stmt", + "name": "statement", + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + } + ] + }, + { + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", + "parts": [ + { + "id": "control-1435-stmt", + "name": "statement", + "prose": "Availability monitoring with real-time alerting is implemented for online services to detect denial-of-service attacks and measure their impact." + } + ] + }, + { + "id": "control-1436", + "title": "Segregation of critical online services", + "parts": [ + { + "id": "control-1436-stmt", + "name": "statement", + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + } + ] + }, + { + "id": "control-1518", + "title": "Preparing for service continuity", + "parts": [ + { + "id": "control-1518-stmt", + "name": "statement", + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + } + ] + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ + { + "id": "control-1314", + "title": "Choosing wireless devices", + "parts": [ + { + "id": "control-1314-stmt", + "name": "statement", + "prose": "All wireless devices are Wi-Fi Alliance certified." + } + ] + }, + { + "id": "control-0536", + "title": "Wireless networks for public access", + "parts": [ + { + "id": "control-0536-stmt", + "name": "statement", + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + } + ] + }, + { + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", + "parts": [ + { + "id": "control-1315-stmt", + "name": "statement", + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + } + ] + }, + { + "id": "control-1316", + "title": "Default settings", + "parts": [ + { + "id": "control-1316-stmt", + "name": "statement", + "prose": "The default SSID of wireless access points is changed." + } + ] + }, + { + "id": "control-1317", + "title": "Default settings", + "parts": [ + { + "id": "control-1317-stmt", + "name": "statement", + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + } + ] + }, + { + "id": "control-1318", + "title": "Default settings", + "parts": [ + { + "id": "control-1318-stmt", + "name": "statement", + "prose": "SSID broadcasting is enabled on wireless networks." + } + ] + }, + { + "id": "control-1709", + "title": "Default settings", + "parts": [ + { + "id": "control-1709-stmt", + "name": "statement", + "prose": "Default accounts and passphrases of wireless devices are changed." + } + ] + }, + { + "id": "control-1710", + "title": "Default settings", + "parts": [ + { + "id": "control-1710-stmt", + "name": "statement", + "prose": "Configuration settings for wireless devices are hardened." + } + ] + }, + { + "id": "control-1319", + "title": "Static addressing", + "parts": [ + { + "id": "control-1319-stmt", + "name": "statement", + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + } + ] + }, + { + "id": "control-1320", + "title": "Media Access Control address filtering", + "parts": [ + { + "id": "control-1320-stmt", + "name": "statement", + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + } + ] + }, + { + "id": "control-1332", + "title": "Confidentiality and integrity of wireless network traffic", + "parts": [ + { + "id": "control-1332-stmt", + "name": "statement", + "prose": "WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic." + } + ] + }, + { + "id": "control-1321", + "title": "802.1X authentication", + "parts": [ + { + "id": "control-1321-stmt", + "name": "statement", + "prose": "802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers." + } + ] + }, + { + "id": "control-1711", + "title": "802.1X authentication", + "parts": [ + { + "id": "control-1711-stmt", + "name": "statement", + "prose": "User identity confidentiality is used if available with EAP-TLS implementations." + } + ] + }, + { + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", + "parts": [ + { + "id": "control-1322-stmt", + "name": "statement", + "prose": "Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks." + } + ] + }, + { + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", + "parts": [ + { + "id": "control-1324-stmt", + "name": "statement", + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + } + ] + }, + { + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", + "parts": [ + { + "id": "control-1323-stmt", + "name": "statement", + "prose": "Certificates are required for both devices and users accessing wireless networks." + } + ] + }, + { + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", + "parts": [ + { + "id": "control-1327-stmt", + "name": "statement", + "prose": "Certificates are protected by encryption, user authentication, and both logical and physical access controls." + } + ] + }, + { + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", + "parts": [ + { + "id": "control-1330-stmt", + "name": "statement", + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + } + ] + }, + { + "id": "control-1712", + "title": "Fast Basic Service Set Transition", + "parts": [ + { + "id": "control-1712-stmt", + "name": "statement", + "prose": "The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD Approved Cryptographic Protocol." + } + ] + }, + { + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", + "parts": [ + { + "id": "control-1454-stmt", + "name": "statement", + "prose": "Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security." + } + ] + }, + { + "id": "control-1334", + "title": "Interference between wireless networks", + "parts": [ + { + "id": "control-1334-stmt", + "name": "statement", + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + } + ] + }, + { + "id": "control-1335", + "title": "Protecting management frames on wireless networks", + "parts": [ + { + "id": "control-1335-stmt", + "name": "statement", + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + } + ] + }, + { + "id": "control-1338", + "title": "Wireless network footprint", + "parts": [ + { + "id": "control-1338-stmt", + "name": "statement", + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + } + ] + }, + { + "id": "control-1013", + "title": "Wireless network footprint", + "parts": [ + { + "id": "control-1013-stmt", + "name": "statement", + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on facilities in which SECRET or TOP SECRET wireless networks are used." + } + ] + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ + { + "id": "control-0516", + "title": "Network documentation", + "parts": [ + { + "id": "control-0516-stmt", + "name": "statement", + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + } + ] + }, + { + "id": "control-0518", + "title": "Network documentation", + "parts": [ + { + "id": "control-0518-stmt", + "name": "statement", + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + } + ] + }, + { + "id": "control-1178", + "title": "Network documentation", + "parts": [ + { + "id": "control-1178-stmt", + "name": "statement", + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + } + ] + }, + { + "id": "control-1181", + "title": "Network segmentation and segregation", + "parts": [ + { + "id": "control-1181-stmt", + "name": "statement", + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of data or services." + } + ] + }, + { + "id": "control-1577", + "title": "Network segmentation and segregation", + "parts": [ + { + "id": "control-1577-stmt", + "name": "statement", + "prose": "Organisation networks are segregated from service provider networks." + } + ] + }, + { + "id": "control-1532", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-1532-stmt", + "name": "statement", + "prose": "VLANs are not used to separate network traffic between organisations’ networks and public network infrastructure." + } + ] + }, + { + "id": "control-0529", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-0529-stmt", + "name": "statement", + "prose": "VLANs are not used to separate network traffic between networks belonging to different security domains." + } + ] + }, + { + "id": "control-1364", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-1364-stmt", + "name": "statement", + "prose": "Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces." + } + ] + }, + { + "id": "control-0535", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-0535-stmt", + "name": "statement", + "prose": "Network devices managing VLANs belonging to different security domains do not share VLAN trunks." + } + ] + }, + { + "id": "control-0530", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-0530-stmt", + "name": "statement", + "prose": "Network devices managing VLANs are administered from the most trusted security domain." + } + ] + }, + { + "id": "control-0521", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-0521-stmt", + "name": "statement", + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + } + ] + }, + { + "id": "control-1186", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-1186-stmt", + "name": "statement", + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + } + ] + }, + { + "id": "control-1428", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-1428-stmt", + "name": "statement", + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + } + ] + }, + { + "id": "control-1429", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-1429-stmt", + "name": "statement", + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + } + ] + }, + { + "id": "control-1430", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-1430-stmt", + "name": "statement", + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised logging facility." + } + ] + }, + { + "id": "control-0520", + "title": "Network access controls", + "parts": [ + { + "id": "control-0520-stmt", + "name": "statement", + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + } + ] + }, + { + "id": "control-1182", + "title": "Network access controls", + "parts": [ + { + "id": "control-1182-stmt", + "name": "statement", + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + } + ] + }, + { + "id": "control-1301", + "title": "Network device register", + "parts": [ + { + "id": "control-1301-stmt", + "name": "statement", + "prose": "A network device register is maintained and regularly audited." + } + ] + }, + { + "id": "control-1304", + "title": "Default accounts for network devices", + "parts": [ + { + "id": "control-1304-stmt", + "name": "statement", + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + } + ] + }, + { + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", + "parts": [ + { + "id": "control-0534-stmt", + "name": "statement", + "prose": "Unused physical ports on network devices are disabled." + } + ] + }, + { + "id": "control-0385", + "title": "Functional separation between servers", + "parts": [ + { + "id": "control-0385-stmt", + "name": "statement", + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + } + ] + }, + { + "id": "control-1479", + "title": "Functional separation between servers", + "parts": [ + { + "id": "control-1479-stmt", + "name": "statement", + "prose": "Servers minimise communications with other servers at both the network and file system level." + } + ] + }, + { + "id": "control-1006", + "title": "Management traffic", + "parts": [ + { + "id": "control-1006-stmt", + "name": "statement", + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + } + ] + }, + { + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", + "parts": [ + { + "id": "control-1311-stmt", + "name": "statement", + "prose": "SNMP version 1 and 2 are not used on networks." + } + ] + }, + { + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", + "parts": [ + { + "id": "control-1312-stmt", + "name": "statement", + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + } + ] + }, + { + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", + "parts": [ + { + "id": "control-1028-stmt", + "name": "statement", + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + } + ] + }, + { + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", + "parts": [ + { + "id": "control-1030-stmt", + "name": "statement", + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any data flows that contravene any rule in firewall rule sets." + } + ] + }, + { + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", + "parts": [ + { + "id": "control-1185-stmt", + "name": "statement", + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + } + ] + }, + { + "id": "control-1627", + "title": "Blocking anonymity network traffic", + "parts": [ + { + "id": "control-1627-stmt", + "name": "statement", + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + } + ] + }, + { + "id": "control-1628", + "title": "Blocking anonymity network traffic", + "parts": [ + { + "id": "control-1628-stmt", + "name": "statement", + "prose": "Outbound network connections to anonymity networks are blocked." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ + { + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", + "parts": [ + { + "id": "control-0588-stmt", + "name": "statement", + "prose": "A fax machine and MFD usage policy is developed and implemented." + } + ] + }, + { + "id": "control-1092", + "title": "Sending fax messages", + "parts": [ + { + "id": "control-1092-stmt", + "name": "statement", + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + } + ] + }, + { + "id": "control-0241", + "title": "Sending fax messages", + "parts": [ + { + "id": "control-0241-stmt", + "name": "statement", + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure." + } + ] + }, + { + "id": "control-1075", + "title": "Receiving fax messages", + "parts": [ + { + "id": "control-1075-stmt", + "name": "statement", + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time." + } + ] + }, + { + "id": "control-0590", + "title": "Connecting multifunction devices to networks", + "parts": [ + { + "id": "control-0590-stmt", + "name": "statement", + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + } + ] + }, + { + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", + "parts": [ + { + "id": "control-0245-stmt", + "name": "statement", + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + } + ] + }, + { + "id": "control-0589", + "title": "Copying documents on multifunction devices", + "parts": [ + { + "id": "control-0589-stmt", + "name": "statement", + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + } + ] + }, + { + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", + "parts": [ + { + "id": "control-1036-stmt", + "name": "statement", + "prose": "Fax machines and MFDs are located in areas where their use can be observed." + } + ] + } + ] + }, + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ + { + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "parts": [ + { + "id": "control-1562-stmt", + "name": "statement", + "prose": "Video conferencing and IP telephony infrastructure is hardened." + } + ] + }, + { + "id": "control-0546", + "title": "Video-aware and voice-aware firewalls", + "parts": [ + { + "id": "control-0546-stmt", + "name": "statement", + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video-aware and/or voice-aware firewall is used." + } + ] + }, + { + "id": "control-0548", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "parts": [ + { + "id": "control-0548-stmt", + "name": "statement", + "prose": "Video conferencing and IP telephony calls are established using a secure session initiation protocol." + } + ] + }, + { + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "parts": [ + { + "id": "control-0547-stmt", + "name": "statement", + "prose": "Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol." + } + ] + }, + { + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", + "parts": [ + { + "id": "control-0554-stmt", + "name": "statement", + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + } + ] + }, + { + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", + "parts": [ + { + "id": "control-0553-stmt", + "name": "statement", + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + } + ] + }, + { + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", + "parts": [ + { + "id": "control-0555-stmt", + "name": "statement", + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + } + ] + }, + { + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", + "parts": [ + { + "id": "control-0551-stmt", + "name": "statement", + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + } + ] + }, + { + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", + "parts": [ + { + "id": "control-1014-stmt", + "name": "statement", + "prose": "Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations." + } + ] + }, + { + "id": "control-0549", + "title": "Traffic separation", + "parts": [ + { + "id": "control-0549-stmt", + "name": "statement", + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + } + ] + }, + { + "id": "control-0556", + "title": "Traffic separation", + "parts": [ + { + "id": "control-0556-stmt", + "name": "statement", + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + } + ] + }, + { + "id": "control-0558", + "title": "Internet Protocol phones in public areas", + "parts": [ + { + "id": "control-0558-stmt", + "name": "statement", + "prose": "IP phones used in public areas do not have the ability to access data networks, voicemail and directory services." + } + ] + }, + { + "id": "control-0559", + "title": "Microphones and webcams", + "parts": [ + { + "id": "control-0559-stmt", + "name": "statement", + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + } + ] + }, + { + "id": "control-1450", + "title": "Microphones and webcams", + "parts": [ + { + "id": "control-1450-stmt", + "name": "statement", + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + } + ] + }, + { + "id": "control-1019", + "title": "Developing a denial of service response plan", + "parts": [ + { + "id": "control-1019-stmt", + "name": "statement", + "prose": "A denial of service response plan is developed and implemented for video conferencing and IP telephony services that includes:\n• how to identify signs of a denial-of-service attack\n• how to identify the source of a denial-of-service attack\n• how capabilities can be maintained during a denial-of-service attack\n• what actions can be taken to respond to a denial-of-service attack." + } + ] + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ + { + "id": "control-1078", + "title": "Telephone system usage policy", + "parts": [ + { + "id": "control-1078-stmt", + "name": "statement", + "prose": "A telephone system usage policy is developed and implemented." + } + ] + }, + { + "id": "control-0229", + "title": "Personnel awareness", + "parts": [ + { + "id": "control-0229-stmt", + "name": "statement", + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + } + ] + }, + { + "id": "control-0230", + "title": "Personnel awareness", + "parts": [ + { + "id": "control-0230-stmt", + "name": "statement", + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + } + ] + }, + { + "id": "control-0231", + "title": "Personnel awareness", + "parts": [ + { + "id": "control-0231-stmt", + "name": "statement", + "prose": "When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + } + ] + }, + { + "id": "control-0232", + "title": "Protecting conversations", + "parts": [ + { + "id": "control-0232-stmt", + "name": "statement", + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + } + ] + }, + { + "id": "control-0233", + "title": "Cordless telephone systems", + "parts": [ + { + "id": "control-0233-stmt", + "name": "statement", + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + } + ] + }, + { + "id": "control-0235", + "title": "Speakerphones", + "parts": [ + { + "id": "control-0235-stmt", + "name": "statement", + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room." + } + ] + }, + { + "id": "control-0236", + "title": "Off-hook audio protection", + "parts": [ + { + "id": "control-0236-stmt", + "name": "statement", + "prose": "Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating." + } + ] + }, + { + "id": "control-0931", + "title": "Off-hook audio protection", + "parts": [ + { + "id": "control-0931-stmt", + "name": "statement", + "prose": "In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", + "groups": [ + { + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", + "controls": [ + { + "id": "control-0580", + "title": "Event logging policy", + "parts": [ + { + "id": "control-0580-stmt", + "name": "statement", + "prose": "An event logging policy is developed and implemented." + } + ] + }, + { + "id": "control-1405", + "title": "Centralised logging facility", + "parts": [ + { + "id": "control-1405-stmt", + "name": "statement", + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + } + ] + }, + { + "id": "control-0988", + "title": "Centralised logging facility", + "parts": [ + { + "id": "control-0988-stmt", + "name": "statement", + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + } + ] + }, + { + "id": "control-0584", + "title": "Events to be logged", + "parts": [ + { + "id": "control-0584-stmt", + "name": "statement", + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + } + ] + }, + { + "id": "control-0582", + "title": "Events to be logged", + "parts": [ + { + "id": "control-0582-stmt", + "name": "statement", + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + } + ] + }, + { + "id": "control-1536", + "title": "Events to be logged", + "parts": [ + { + "id": "control-1536-stmt", + "name": "statement", + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + } + ] + }, + { + "id": "control-1537", + "title": "Events to be logged", + "parts": [ + { + "id": "control-1537-stmt", + "name": "statement", + "prose": "The following events are logged for databases:\n• access to particularly important data\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + } + ] + }, + { + "id": "control-0585", + "title": "Event log details", + "parts": [ + { + "id": "control-0585-stmt", + "name": "statement", + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + } + ] + }, + { + "id": "control-0586", + "title": "Event log protection", + "parts": [ + { + "id": "control-0586-stmt", + "name": "statement", + "prose": "Event logs are protected from unauthorised access, modification and deletion." + } + ] + }, + { + "id": "control-0859", + "title": "Event log retention", + "parts": [ + { + "id": "control-0859-stmt", + "name": "statement", + "prose": "Event logs are retained for a minimum of 7 years in accordance with the NAA’s Administrative Functions Disposal Authority Express Version 2 publication." + } + ] + }, + { + "id": "control-0991", + "title": "Event log retention", + "parts": [ + { + "id": "control-0991-stmt", + "name": "statement", + "prose": "Domain Name System and proxy logs are retained for at least 18 months." + } + ] + }, + { + "id": "control-0109", + "title": "Event log auditing processes and procedures", + "parts": [ + { + "id": "control-0109-stmt", + "name": "statement", + "prose": "Event log auditing processes, and supporting event log auditing procedures, are developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + } + ] + }, + { + "id": "control-1228", + "title": "Event log auditing processes and procedures", + "parts": [ + { + "id": "control-1228-stmt", + "name": "statement", + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ + { + "id": "control-1460", + "title": "Functional separation between computing environments", + "parts": [ + { + "id": "control-1460-stmt", + "name": "statement", + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + } + ] + }, + { + "id": "control-1604", + "title": "Functional separation between computing environments", + "parts": [ + { + "id": "control-1604-stmt", + "name": "statement", + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + } + ] + }, + { + "id": "control-1605", + "title": "Functional separation between computing environments", + "parts": [ + { + "id": "control-1605-stmt", + "name": "statement", + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + } + ] + }, + { + "id": "control-1606", + "title": "Functional separation between computing environments", + "parts": [ + { + "id": "control-1606-stmt", + "name": "statement", + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + } + ] + }, + { + "id": "control-1607", + "title": "Functional separation between computing environments", + "parts": [ + { + "id": "control-1607-stmt", + "name": "statement", + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + } + ] + }, + { + "id": "control-1461", + "title": "Functional separation between computing environments", + "parts": [ + { + "id": "control-1461-stmt", + "name": "statement", + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware for SECRET or TOP SECRET workloads, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." + } + ] + } + ] + }, + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ + { + "id": "control-0938", + "title": "Application selection", + "parts": [ + { + "id": "control-0938-stmt", + "name": "statement", + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + } + ] + }, + { + "id": "control-1467", + "title": "Application versions", + "parts": [ + { + "id": "control-1467-stmt", + "name": "statement", + "prose": "The latest releases of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used when present within SOEs." + } + ] + }, + { + "id": "control-1483", + "title": "Application versions", + "parts": [ + { + "id": "control-1483-stmt", + "name": "statement", + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + } + ] + }, + { + "id": "control-1486", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1486-stmt", + "name": "statement", + "prose": "Web browsers do not process Java from the internet." + } + ] + }, + { + "id": "control-1485", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1485-stmt", + "name": "statement", + "prose": "Web browsers do not process web advertisements from the internet." + } + ] + }, + { + "id": "control-1666", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1666-stmt", + "name": "statement", + "prose": "Internet Explorer 11 does not process content from the internet." + } + ] + }, + { + "id": "control-1667", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1667-stmt", + "name": "statement", + "prose": "Microsoft Office is blocked from creating child processes." + } + ] + }, + { + "id": "control-1668", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1668-stmt", + "name": "statement", + "prose": "Microsoft Office is blocked from creating executable content." + } + ] + }, + { + "id": "control-1669", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1669-stmt", + "name": "statement", + "prose": "Microsoft Office is blocked from injecting code into other processes." + } + ] + }, + { + "id": "control-1542", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1542-stmt", + "name": "statement", + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + } + ] + }, + { + "id": "control-1670", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1670-stmt", + "name": "statement", + "prose": "PDF software is blocked from creating child processes." + } + ] + }, + { + "id": "control-1412", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1412-stmt", + "name": "statement", + "prose": "ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented." + } + ] + }, + { + "id": "control-1470", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1470-stmt", + "name": "statement", + "prose": "Any unrequired functionality in web browsers, Microsoft Office and PDF software is disabled." + } + ] + }, + { + "id": "control-1235", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1235-stmt", + "name": "statement", + "prose": "The use of web browser, Microsoft Office and PDF software add-ons is restricted to organisation approved add-ons." + } + ] + }, + { + "id": "control-1601", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1601-stmt", + "name": "statement", + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + } + ] + }, + { + "id": "control-1585", + "title": "Hardening application configurations", + "parts": [ + { + "id": "control-1585-stmt", + "name": "statement", + "prose": "Web browsers, Microsoft Office and PDF software security settings cannot be changed by users." + } + ] + }, + { + "id": "control-1671", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1671-stmt", + "name": "statement", + "prose": "Microsoft Office macros are disabled for users that do not have a demonstrated business requirement." + } + ] + }, + { + "id": "control-1488", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1488-stmt", + "name": "statement", + "prose": "Microsoft Office macros in files originating from the internet are blocked." + } + ] + }, + { + "id": "control-1672", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1672-stmt", + "name": "statement", + "prose": "Microsoft Office macro antivirus scanning is enabled." + } + ] + }, + { + "id": "control-1673", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1673-stmt", + "name": "statement", + "prose": "Microsoft Office macros are blocked from making Win32 API calls." + } + ] + }, + { + "id": "control-1674", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1674-stmt", + "name": "statement", + "prose": "Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute." + } + ] + }, + { + "id": "control-1487", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1487-stmt", + "name": "statement", + "prose": "Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations." + } + ] + }, + { + "id": "control-1675", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1675-stmt", + "name": "statement", + "prose": "Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View." + } + ] + }, + { + "id": "control-1676", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1676-stmt", + "name": "statement", + "prose": "Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis." + } + ] + }, + { + "id": "control-1489", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1489-stmt", + "name": "statement", + "prose": "Microsoft Office macro security settings cannot be changed by users." + } + ] + }, + { + "id": "control-1677", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1677-stmt", + "name": "statement", + "prose": "Allowed and blocked Microsoft Office macro executions are logged." + } + ] + }, + { + "id": "control-1678", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1678-stmt", + "name": "statement", + "prose": "Microsoft Office macro event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ + { + "id": "control-1406", + "title": "Standard Operating Environments", + "parts": [ + { + "id": "control-1406-stmt", + "name": "statement", + "prose": "SOEs are used for workstations and servers." + } + ] + }, + { + "id": "control-1608", + "title": "Standard Operating Environments", + "parts": [ + { + "id": "control-1608-stmt", + "name": "statement", + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + } + ] + }, + { + "id": "control-1588", + "title": "Standard Operating Environments", + "parts": [ + { + "id": "control-1588-stmt", + "name": "statement", + "prose": "SOEs are reviewed and updated at least annually." + } + ] + }, + { + "id": "control-1407", + "title": "Operating system releases and versions", + "parts": [ + { + "id": "control-1407-stmt", + "name": "statement", + "prose": "The latest release, or the previous release, of operating systems are used for workstations, servers and network devices." + } + ] + }, + { + "id": "control-1408", + "title": "Operating system releases and versions", + "parts": [ + { + "id": "control-1408-stmt", + "name": "statement", + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + } + ] + }, + { + "id": "control-1409", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-1409-stmt", + "name": "statement", + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + } + ] + }, + { + "id": "control-0383", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-0383-stmt", + "name": "statement", + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + } + ] + }, + { + "id": "control-0380", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-0380-stmt", + "name": "statement", + "prose": "Unneeded operating system accounts, software, components, services and functionality are disabled or removed." + } + ] + }, + { + "id": "control-0341", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-0341-stmt", + "name": "statement", + "prose": "Automatic execution features for removable media are disabled." + } + ] + }, + { + "id": "control-1654", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-1654-stmt", + "name": "statement", + "prose": "Internet Explorer 11 is disabled or removed." + } + ] + }, + { + "id": "control-1655", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-1655-stmt", + "name": "statement", + "prose": ".NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed." + } + ] + }, + { + "id": "control-1584", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-1584-stmt", + "name": "statement", + "prose": "Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems." + } + ] + }, + { + "id": "control-1491", + "title": "Operating system configuration", + "parts": [ + { + "id": "control-1491-stmt", + "name": "statement", + "prose": "Unprivileged users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe)." + } + ] + }, + { + "id": "control-1410", + "title": "Local administrator accounts", + "parts": [ + { + "id": "control-1410-stmt", + "name": "statement", + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + } + ] + }, + { + "id": "control-1469", + "title": "Local administrator accounts", + "parts": [ + { + "id": "control-1469-stmt", + "name": "statement", + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + } + ] + }, + { + "id": "control-1592", + "title": "Application management", + "parts": [ + { + "id": "control-1592-stmt", + "name": "statement", + "prose": "Users do not have the ability to install unapproved software." + } + ] + }, + { + "id": "control-0382", + "title": "Application management", + "parts": [ + { + "id": "control-0382-stmt", + "name": "statement", + "prose": "Users do not have the ability to uninstall or disable approved software." + } + ] + }, + { + "id": "control-0843", + "title": "Application control", + "parts": [ + { + "id": "control-0843-stmt", + "name": "statement", + "prose": "Application control is implemented on workstations." + } + ] + }, + { + "id": "control-1490", + "title": "Application control", + "parts": [ + { + "id": "control-1490-stmt", + "name": "statement", + "prose": "Application control is implemented on internet-facing servers." + } + ] + }, + { + "id": "control-1656", + "title": "Application control", + "parts": [ + { + "id": "control-1656-stmt", + "name": "statement", + "prose": "Application control is implemented on non-internet-facing servers." + } + ] + }, + { + "id": "control-1657", + "title": "Application control", + "parts": [ + { + "id": "control-1657-stmt", + "name": "statement", + "prose": "Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set." + } + ] + }, + { + "id": "control-1658", + "title": "Application control", + "parts": [ + { + "id": "control-1658-stmt", + "name": "statement", + "prose": "Application control restricts the execution of drivers to an organisation-approved set." + } + ] + }, + { + "id": "control-0955", + "title": "Application control", + "parts": [ + { + "id": "control-0955-stmt", + "name": "statement", + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + } + ] + }, + { + "id": "control-1582", + "title": "Application control", + "parts": [ + { + "id": "control-1582-stmt", + "name": "statement", + "prose": "Application control rulesets are validated on an annual or more frequent basis." + } + ] + }, + { + "id": "control-1471", + "title": "Application control", + "parts": [ + { + "id": "control-1471-stmt", + "name": "statement", + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + } + ] + }, + { + "id": "control-1392", + "title": "Application control", + "parts": [ + { + "id": "control-1392-stmt", + "name": "statement", + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + } + ] + }, + { + "id": "control-1544", + "title": "Application control", + "parts": [ + { + "id": "control-1544-stmt", + "name": "statement", + "prose": "Microsoft’s ‘recommended block rules’ are implemented." + } + ] + }, + { + "id": "control-1659", + "title": "Application control", + "parts": [ + { + "id": "control-1659-stmt", + "name": "statement", + "prose": "Microsoft’s ‘recommended driver block rules’ are implemented." + } + ] + }, + { + "id": "control-0846", + "title": "Application control", + "parts": [ + { + "id": "control-0846-stmt", + "name": "statement", + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + } + ] + }, + { + "id": "control-1660", + "title": "Application control", + "parts": [ + { + "id": "control-1660-stmt", + "name": "statement", + "prose": "Allowed and blocked executions on workstations are logged." + } + ] + }, + { + "id": "control-1661", + "title": "Application control", + "parts": [ + { + "id": "control-1661-stmt", + "name": "statement", + "prose": "Allowed and blocked executions on internet-facing servers are logged." + } + ] + }, + { + "id": "control-1662", + "title": "Application control", + "parts": [ + { + "id": "control-1662-stmt", + "name": "statement", + "prose": "Allowed and blocked executions on non-internet facing servers are logged." + } + ] + }, + { + "id": "control-0957", + "title": "Application control", + "parts": [ + { + "id": "control-0957-stmt", + "name": "statement", + "prose": "Application control event logs including the name of the file, the date/time stamp and the username of the user associated with the event." + } + ] + }, + { + "id": "control-1663", + "title": "Application control", + "parts": [ + { + "id": "control-1663-stmt", + "name": "statement", + "prose": "Application control event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-1492", + "title": "Exploit protection", + "parts": [ + { + "id": "control-1492-stmt", + "name": "statement", + "prose": "Microsoft’s exploit protection functionality is implemented on workstations and servers." + } + ] + }, + { + "id": "control-1621", + "title": "PowerShell", + "parts": [ + { + "id": "control-1621-stmt", + "name": "statement", + "prose": "Windows PowerShell 2.0 is disabled or removed." + } + ] + }, + { + "id": "control-1622", + "title": "PowerShell", + "parts": [ + { + "id": "control-1622-stmt", + "name": "statement", + "prose": "PowerShell is configured to use Constrained Language Mode." + } + ] + }, + { + "id": "control-1623", + "title": "PowerShell", + "parts": [ + { + "id": "control-1623-stmt", + "name": "statement", + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + } + ] + }, + { + "id": "control-1624", + "title": "PowerShell", + "parts": [ + { + "id": "control-1624-stmt", + "name": "statement", + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + } + ] + }, + { + "id": "control-1664", + "title": "PowerShell", + "parts": [ + { + "id": "control-1664-stmt", + "name": "statement", + "prose": "Blocked PowerShell script executions are logged." + } + ] + }, + { + "id": "control-1665", + "title": "PowerShell", + "parts": [ + { + "id": "control-1665-stmt", + "name": "statement", + "prose": "PowerShell event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", + "parts": [ + { + "id": "control-1341-stmt", + "name": "statement", + "prose": "A HIPS is implemented on workstations." + } + ] + }, + { + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", + "parts": [ + { + "id": "control-1034-stmt", + "name": "statement", + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System servers, web servers, file servers and email servers." + } + ] + }, + { + "id": "control-1416", + "title": "Software firewall", + "parts": [ + { + "id": "control-1416-stmt", + "name": "statement", + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + } + ] + }, + { + "id": "control-1417", + "title": "Antivirus software", + "parts": [ + { + "id": "control-1417-stmt", + "name": "statement", + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• ransomware protection measures enabled\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + } + ] + }, + { + "id": "control-1390", + "title": "Antivirus software", + "parts": [ + { + "id": "control-1390-stmt", + "name": "statement", + "prose": "Antivirus software has reputation rating functionality enabled." + } + ] + }, + { + "id": "control-1418", + "title": "Device access control software", + "parts": [ + { + "id": "control-1418-stmt", + "name": "statement", + "prose": "Unauthorised removable media and devices are prevented from being connected to workstations and servers via the use of device access control software or by disabling external communication interfaces in operating systems." + } + ] + }, + { + "id": "control-0345", + "title": "Device access control software", + "parts": [ + { + "id": "control-0345-stmt", + "name": "statement", + "prose": "External communication interfaces that allow DMA are disabled." + } + ] + }, + { + "id": "control-0343", + "title": "Device access control software", + "parts": [ + { + "id": "control-0343-stmt", + "name": "statement", + "prose": "Removable media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + } + ] + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ + { + "id": "control-1546", + "title": "Authenticating to systems", + "parts": [ + { + "id": "control-1546-stmt", + "name": "statement", + "prose": "Users are authenticated before they are granted access to a system and its resources." + } + ] + }, + { + "id": "control-0974", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-0974-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used to authenticate unprivileged users of systems." + } + ] + }, + { + "id": "control-1173", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1173-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used to authenticate privileged users of systems." + } + ] + }, + { + "id": "control-1504", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1504-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services." + } + ] + }, + { + "id": "control-1679", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1679-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data." + } + ] + }, + { + "id": "control-1680", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1680-stmt", + "name": "statement", + "prose": "Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data." + } + ] + }, + { + "id": "control-1681", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1681-stmt", + "name": "statement", + "prose": "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services." + } + ] + }, + { + "id": "control-1505", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1505-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used to authenticate users accessing important data repositories." + } + ] + }, + { + "id": "control-1401", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1401-stmt", + "name": "statement", + "prose": "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." + } + ] + }, + { + "id": "control-1682", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1682-stmt", + "name": "statement", + "prose": "Multi-factor authentication is verifier impersonation resistant." + } + ] + }, + { + "id": "control-1559", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1559-stmt", + "name": "statement", + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply." + } + ] + }, + { + "id": "control-1560", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1560-stmt", + "name": "statement", + "prose": "Passwords used for multi-factor authentication on SECRET systems are a minimum of 8 characters." + } + ] + }, + { + "id": "control-1561", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1561-stmt", + "name": "statement", + "prose": "Passwords used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters." + } + ] + }, + { + "id": "control-1357", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1357-stmt", + "name": "statement", + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + } + ] + }, + { + "id": "control-1683", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1683-stmt", + "name": "statement", + "prose": "Successful and unsuccessful multi-factor authentications are logged." + } + ] + }, + { + "id": "control-1684", + "title": "Multi-factor authentication", + "parts": [ + { + "id": "control-1684-stmt", + "name": "statement", + "prose": "Multi-factor authentication event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + } + ] + }, + { + "id": "control-0417", + "title": "Single-factor authentication", + "parts": [ + { + "id": "control-0417-stmt", + "name": "statement", + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + } + ] + }, + { + "id": "control-0421", + "title": "Single-factor authentication", + "parts": [ + { + "id": "control-0421-stmt", + "name": "statement", + "prose": "Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply." + } + ] + }, + { + "id": "control-1557", + "title": "Single-factor authentication", + "parts": [ + { + "id": "control-1557-stmt", + "name": "statement", + "prose": "Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters." + } + ] + }, + { + "id": "control-0422", + "title": "Single-factor authentication", + "parts": [ + { + "id": "control-0422-stmt", + "name": "statement", + "prose": "Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters." + } + ] + }, + { + "id": "control-1558", + "title": "Single-factor authentication", + "parts": [ + { + "id": "control-1558-stmt", + "name": "statement", + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + } + ] + }, + { + "id": "control-1596", + "title": "Single-factor authentication", + "parts": [ + { + "id": "control-1596-stmt", + "name": "statement", + "prose": "Passphrases used for single-factor authentication cannot be used to authenticate to multiple different systems." + } + ] + }, + { + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", + "parts": [ + { + "id": "control-1227-stmt", + "name": "statement", + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + } + ] + }, + { + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", + "parts": [ + { + "id": "control-1593-stmt", + "name": "statement", + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + } + ] + }, + { + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", + "parts": [ + { + "id": "control-1594-stmt", + "name": "statement", + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + } + ] + }, + { + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", + "parts": [ + { + "id": "control-1595-stmt", + "name": "statement", + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + } + ] + }, + { + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", + "parts": [ + { + "id": "control-1619-stmt", + "name": "statement", + "prose": "Service accounts are created as group Managed Service Accounts." + } + ] + }, + { + "id": "control-1403", + "title": "Account lockouts", + "parts": [ + { + "id": "control-1403-stmt", + "name": "statement", + "prose": "Accounts are locked out after a maximum of five failed logon attempts." + } + ] + }, + { + "id": "control-0431", + "title": "Account lockouts", + "parts": [ + { + "id": "control-0431-stmt", + "name": "statement", + "prose": "Repeated account lockouts are investigated before reauthorising access." + } + ] + }, + { + "id": "control-0976", + "title": "Account unlocks", + "parts": [ + { + "id": "control-0976-stmt", + "name": "statement", + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + } + ] + }, + { + "id": "control-1603", + "title": "Insecure authentication methods", + "parts": [ + { + "id": "control-1603-stmt", + "name": "statement", + "prose": "Authentication methods susceptible to replay attacks are disabled." + } + ] + }, + { + "id": "control-1055", + "title": "Insecure authentication methods", + "parts": [ + { + "id": "control-1055-stmt", + "name": "statement", + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + } + ] + }, + { + "id": "control-1620", + "title": "Insecure authentication methods", + "parts": [ + { + "id": "control-1620-stmt", + "name": "statement", + "prose": "Privileged accounts are members of the Protected Users security group." + } + ] + }, + { + "id": "control-1685", + "title": "Protecting credentials", + "parts": [ + { + "id": "control-1685-stmt", + "name": "statement", + "prose": "Credentials for local administrator accounts and service accounts are unique, unpredictable and managed." + } + ] + }, + { + "id": "control-0418", + "title": "Protecting credentials", + "parts": [ + { + "id": "control-0418-stmt", + "name": "statement", + "prose": "Credentials are stored separately from systems to which they grant access." + } + ] + }, + { + "id": "control-1597", + "title": "Protecting credentials", + "parts": [ + { + "id": "control-1597-stmt", + "name": "statement", + "prose": "Credentials are obscured as they are entered into systems." + } + ] + }, + { + "id": "control-1402", + "title": "Protecting credentials", + "parts": [ + { + "id": "control-1402-stmt", + "name": "statement", + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + } + ] + }, + { + "id": "control-1686", + "title": "Protecting credentials", + "parts": [ + { + "id": "control-1686-stmt", + "name": "statement", + "prose": "Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled." + } + ] + }, + { + "id": "control-1590", + "title": "Protecting credentials", + "parts": [ + { + "id": "control-1590-stmt", + "name": "statement", + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + } + ] + }, + { + "id": "control-0853", + "title": "Session termination", + "parts": [ + { + "id": "control-0853-stmt", + "name": "statement", + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + } + ] + }, + { + "id": "control-0428", + "title": "Session and screen locking", + "parts": [ + { + "id": "control-0428-stmt", + "name": "statement", + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity, or if manually activated by the user\n• conceals all session content on the screen\n• ensures that the screen does not enter a power saving state before the session or screen lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + } + ] + }, + { + "id": "control-0408", + "title": "Logon banner", + "parts": [ + { + "id": "control-0408-stmt", + "name": "statement", + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + } + ] + }, + { + "id": "control-0979", + "title": "Logon banner", + "parts": [ + { + "id": "control-0979-stmt", + "name": "statement", + "prose": "Legal advice is sought on the exact wording of logon banners." + } + ] + } + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/ISM_catalog_profile/catalogs/ISM_February_2021/catalog.json b/ISM_catalog_profile/catalogs/ISM_February_2021/catalog.json index 55c7d9e..ed6187f 100644 --- a/ISM_catalog_profile/catalogs/ISM_February_2021/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_February_2021/catalog.json @@ -1,3352 +1,3238 @@ { "catalog": { - "uuid": "6b317914-4c53-4bc4-b460-d5d1c01d6468", + "uuid": "6e545be6-354f-4296-b2c3-e5659c83510e", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:28.640+00:00", + "last-modified": "2022-04-28T11:43:53.270464+10:00", "version": "February_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1510-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0336", + "title": "ICT equipment and media register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0613", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0613-stmt", - "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." - } - ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", - "name": "statement", - "prose": "Roles for the administration of gateways are separated." - } - ] - }, - { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", - "parts": [ - { - "id": "control-1316-stmt", - "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained and regularly audited." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cable registers contain the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ + { + "id": "control-1631", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1631-stmt", + "name": "statement", + "prose": "Components and services relevant to the security of systems are identified and understood." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Suppliers and service providers identified as high risk are not used." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1632", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1632-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1637", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1637-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "An outsourced cloud services register is maintained and regularly audited." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1638", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1638-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1185-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1628-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "application_development", - "title": "Application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0400", - "title": "Development environments", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1075-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1247-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1258-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0267-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1603", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1055", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1023-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1620", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Privileged accounts are members of the Protected Users security group." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0572-stmt", - "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." - } - ] - }, - { - "id": "control-1589", - "title": "Email server transport encryption", - "parts": [ - { - "id": "control-1589-stmt", - "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." - } - ] - }, - { - "id": "control-0574", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-0574-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-1183-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1151-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." } ] } @@ -3355,2550 +3241,2630 @@ ] }, { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", "groups": [ { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "application_development", + "title": "Application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", - "parts": [ - { - "id": "control-1139-stmt", - "name": "statement", - "prose": "Only the latest version of TLS is used." - } - ] - }, - { - "id": "control-1369", - "title": "Using Transport Layer Security", - "parts": [ - { - "id": "control-1369-stmt", - "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." - } - ] - }, - { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1370-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1374-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1453-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-0471-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1629", - "title": "Using Diffie-Hellman", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1629-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1630", - "title": "Using the Digital Signature Algorithm", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1630-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0123-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + "prose": "Cyber security incidents are reported to the ACSC." + } + ] + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ + { + "id": "control-0125", + "title": "Cyber security incident register", + "parts": [ + { + "id": "control-0125-stmt", + "name": "statement", + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + } + ] + }, + { + "id": "control-0138", + "title": "Integrity of evidence", + "parts": [ + { + "id": "control-0138-stmt", + "name": "statement", + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] } ] }, { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", "controls": [ { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ + { + "id": "control-1437", + "title": "Cloud-based hosting of online services", + "parts": [ + { + "id": "control-1437-stmt", + "name": "statement", + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + } + ] + }, + { + "id": "control-1432", + "title": "Domain name registrar locking", + "parts": [ + { + "id": "control-1432-stmt", + "name": "statement", + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + } + ] + }, + { + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", + "parts": [ + { + "id": "control-1435-stmt", + "name": "statement", + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "wireless_networks", + "title": "Wireless networks", "controls": [ { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0457-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", - "parts": [ - { - "id": "control-0469-stmt", - "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." - } - ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ - { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-1163-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1602-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1565-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-1583-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0975-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1071", + "title": "System ownership and oversight", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-1525", + "title": "System ownership and oversight", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "System owners register each system with its authorising officer." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1633", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1633-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1634", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1634-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1635", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1635-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "System owners implement identified security controls within each system and its operating environment." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1636", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1636-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-0027", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1591-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-1526", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1610-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1611-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-0078-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1227-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1595-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1619-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0431-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." } ] }, { - "id": "control-1603", - "title": "Insecure authentication methods", + "id": "control-0321", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1603-stmt", + "id": "control-0321-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1055", - "title": "Insecure authentication methods", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1620", - "title": "Insecure authentication methods", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1620-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0418-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0853-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0428-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0408-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1406-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1608-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1588-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1491-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1490", - "title": "Application control", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1392", - "title": "Application control", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1392-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0846-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-0957-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1622-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1623-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1624-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application selection", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] - } - ] - }, - { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", - "controls": [ - { - "id": "control-1460", - "title": "Functional separation between computing environments", + }, + { + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] } ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ + }, { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0859-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + } + ] + }, + { + "id": "control-1464", + "title": "Encrypted media sanitisation", + "parts": [ + { + "id": "control-1464-stmt", + "name": "statement", + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] } @@ -5907,3204 +5873,3238 @@ ] }, { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", "groups": [ { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "secure_shell", + "title": "Secure Shell", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0140-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + } + ] + }, + { + "id": "control-0488", + "title": "Automated remote access", + "parts": [ + { + "id": "control-0488-stmt", + "name": "statement", + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + } + ] + }, + { + "id": "control-0489", + "title": "SSH-agent", + "parts": [ + { + "id": "control-0489-stmt", + "name": "statement", + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] }, { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0917-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1629", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1629-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1630-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1625-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1626-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0120-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1083-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1145-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1554-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1555-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ + }, { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1200-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1199-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0705-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-0202-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0211", - "title": "Cable register", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "A cable register is maintained and regularly audited." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Cable registers contain the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-0932-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable standards", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1215-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1103-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-0321", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0321-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0310-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1551-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0296-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0829-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0223-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-1074-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ + }, + { + "id": "control-0610", + "title": "User training", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + } + ] + } + ] + }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "web_proxies", + "title": "Web proxies", "controls": [ { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] } ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ + }, { - "id": "media_destruction", - "title": "Media destruction", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, - { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + { + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1549-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-1600-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "Individual logins are used for IP phones." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0378-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Traditional analog phones are used in public areas." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, - { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ + { + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1464-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ + }, { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", "controls": [ { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-1617-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0725-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0726-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0718-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0731-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", - "parts": [ - { - "id": "control-0735-stmt", - "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." - } - ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ - { - "id": "control-1071", - "title": "System ownership and oversight", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1525", - "title": "System ownership and oversight", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "System owners register each system with its authorising officer." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1633", - "title": "Protecting systems and their resources", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1633-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1634", - "title": "Protecting systems and their resources", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-1634-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1635", - "title": "Protecting systems and their resources", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1635-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "System owners implement identified security controls within each system and its operating environment." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1636", - "title": "Protecting systems and their resources", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1636-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0027", - "title": "Protecting systems and their resources", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1526", - "title": "Protecting systems and their resources", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-1631", - "title": "Cyber supply chain risk management", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1631-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are identified and understood." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "Suppliers and service providers identified as high risk are not used." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1632", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1632-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1637", - "title": "Outsourced cloud services", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1637-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "An outsourced cloud services register is maintained and regularly audited." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1638", - "title": "Outsourced cloud services", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1638-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_January_2021/catalog.json b/ISM_catalog_profile/catalogs/ISM_January_2021/catalog.json index d05e6af..b8692dc 100644 --- a/ISM_catalog_profile/catalogs/ISM_January_2021/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_January_2021/catalog.json @@ -1,3352 +1,3238 @@ { "catalog": { - "uuid": "bb04fb56-34cc-4851-acb5-922c9ed74807", + "uuid": "e001c4ba-7fe0-4e16-83ab-6b3ae2325d87", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:33.233+00:00", + "last-modified": "2022-04-28T11:44:02.071975+10:00", "version": "January_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1510-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0336", + "title": "ICT equipment and media register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0613", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0613-stmt", - "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." - } - ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", - "name": "statement", - "prose": "Roles for the administration of gateways are separated." - } - ] - }, - { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", - "parts": [ - { - "id": "control-1316-stmt", - "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained and regularly audited." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cable registers contain the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ + { + "id": "control-1631", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1631-stmt", + "name": "statement", + "prose": "Components and services relevant to the security of systems are identified and understood." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Suppliers and service providers identified as high risk are not used." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1632", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1632-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1637", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1637-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "An outsourced cloud services register is maintained and regularly audited." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1638", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1638-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1185-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1628-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "application_development", - "title": "Application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0400", - "title": "Development environments", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1075-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1247-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1258-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0267-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1603", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1055", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1023-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1620", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Privileged accounts are members of the Protected Users security group." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0572-stmt", - "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." - } - ] - }, - { - "id": "control-1589", - "title": "Email server transport encryption", - "parts": [ - { - "id": "control-1589-stmt", - "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." - } - ] - }, - { - "id": "control-0574", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-0574-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-1183-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1151-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." } ] } @@ -3355,2550 +3241,2630 @@ ] }, { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", "groups": [ { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "application_development", + "title": "Application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", - "parts": [ - { - "id": "control-1139-stmt", - "name": "statement", - "prose": "Only the latest version of TLS is used." - } - ] - }, - { - "id": "control-1369", - "title": "Using Transport Layer Security", - "parts": [ - { - "id": "control-1369-stmt", - "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." - } - ] - }, - { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1370-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1374-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1453-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-0471-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1629", - "title": "Using Diffie-Hellman", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1629-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1630", - "title": "Using the Digital Signature Algorithm", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1630-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0123-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + "prose": "Cyber security incidents are reported to the ACSC." + } + ] + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ + { + "id": "control-0125", + "title": "Cyber security incident register", + "parts": [ + { + "id": "control-0125-stmt", + "name": "statement", + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + } + ] + }, + { + "id": "control-0138", + "title": "Integrity of evidence", + "parts": [ + { + "id": "control-0138-stmt", + "name": "statement", + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] } ] }, { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", "controls": [ { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ + { + "id": "control-1437", + "title": "Cloud-based hosting of online services", + "parts": [ + { + "id": "control-1437-stmt", + "name": "statement", + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + } + ] + }, + { + "id": "control-1432", + "title": "Domain name registrar locking", + "parts": [ + { + "id": "control-1432-stmt", + "name": "statement", + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + } + ] + }, + { + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", + "parts": [ + { + "id": "control-1435-stmt", + "name": "statement", + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "wireless_networks", + "title": "Wireless networks", "controls": [ { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0457-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", - "parts": [ - { - "id": "control-0469-stmt", - "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." - } - ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ - { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-1163-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1602-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1565-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-1583-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0975-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1071", + "title": "System ownership and oversight", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-1525", + "title": "System ownership and oversight", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "System owners register each system with its authorising officer." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1633", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1633-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1634", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1634-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1635", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1635-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "System owners implement identified security controls within each system and its operating environment." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1636", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1636-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-0027", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1591-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-1526", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1610-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1611-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-0078-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1227-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1595-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1619-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0431-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." } ] }, { - "id": "control-1603", - "title": "Insecure authentication methods", + "id": "control-0321", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1603-stmt", + "id": "control-0321-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1055", - "title": "Insecure authentication methods", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1620", - "title": "Insecure authentication methods", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1620-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0418-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0853-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0428-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0408-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1406-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1608-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1588-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1491-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1490", - "title": "Application control", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1392", - "title": "Application control", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1392-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0846-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-0957-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1622-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1623-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1624-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application selection", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] - } - ] - }, - { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", - "controls": [ - { - "id": "control-1460", - "title": "Functional separation between computing environments", + }, + { + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] } ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ + }, { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0859-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + } + ] + }, + { + "id": "control-1464", + "title": "Encrypted media sanitisation", + "parts": [ + { + "id": "control-1464-stmt", + "name": "statement", + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] } @@ -5907,3204 +5873,3238 @@ ] }, { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", "groups": [ { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "secure_shell", + "title": "Secure Shell", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0140-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + } + ] + }, + { + "id": "control-0488", + "title": "Automated remote access", + "parts": [ + { + "id": "control-0488-stmt", + "name": "statement", + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + } + ] + }, + { + "id": "control-0489", + "title": "SSH-agent", + "parts": [ + { + "id": "control-0489-stmt", + "name": "statement", + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] }, { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0917-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1629", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1629-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1630-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1625-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1626-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0120-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1083-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1145-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1554-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1555-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ + }, { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1200-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1199-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0705-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-0202-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0211", - "title": "Cable register", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "A cable register is maintained and regularly audited." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Cable registers contain the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-0932-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable standards", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1215-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1103-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-0321", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0321-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0310-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1551-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0296-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0829-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0223-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-1074-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ + }, + { + "id": "control-0610", + "title": "User training", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + } + ] + } + ] + }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "web_proxies", + "title": "Web proxies", "controls": [ { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] } ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ + }, { - "id": "media_destruction", - "title": "Media destruction", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, - { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + { + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1549-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-1600-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "Individual logins are used for IP phones." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0378-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Traditional analog phones are used in public areas." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, - { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ + { + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1464-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ + }, { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", "controls": [ { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-1617-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0725-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0726-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0718-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0731-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", - "parts": [ - { - "id": "control-0735-stmt", - "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." - } - ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ - { - "id": "control-1071", - "title": "System ownership and oversight", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1525", - "title": "System ownership and oversight", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "System owners register each system with its authorising officer." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1633", - "title": "Protecting systems and their resources", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1633-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1634", - "title": "Protecting systems and their resources", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-1634-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1635", - "title": "Protecting systems and their resources", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1635-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "System owners implement identified security controls within each system and its operating environment." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1636", - "title": "Protecting systems and their resources", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1636-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0027", - "title": "Protecting systems and their resources", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1526", - "title": "Protecting systems and their resources", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-1631", - "title": "Cyber supply chain risk management", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1631-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are identified and understood." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "Suppliers and service providers identified as high risk are not used." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1632", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1632-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1637", - "title": "Outsourced cloud services", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1637-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "An outsourced cloud services register is maintained and regularly audited." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1638", - "title": "Outsourced cloud services", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1638-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_July_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_July_2020/catalog.json index b666534..2298414 100644 --- a/ISM_catalog_profile/catalogs/ISM_July_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_July_2020/catalog.json @@ -1,748 +1,731 @@ { "catalog": { - "uuid": "ee75b597-6dd4-43f3-8652-49ed1a24e85f", + "uuid": "47565682-77e4-41b7-927c-7eeb06b40551", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:21:01.156+00:00", + "last-modified": "2022-04-28T11:44:56.006525+10:00", "version": "July_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1384-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1386-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media_management", + "title": "Guidelines for Media Management", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1472-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1494-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1495-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-0300-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0303-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1497-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1498-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1500-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-0304-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1501-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1547-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1548-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1512", - "title": "Backup storage", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1512-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1513-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email_management", - "title": "Guidelines for Email Management", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0270-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0271-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0345", + "title": "External interface connections that allow Direct Memory Access", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1539", - "title": "Email distribution lists", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1539-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0570-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-0567-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0574-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-1151-stmt", - "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." - } - ] - }, - { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0861-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1026-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-0947", + "title": "Sanitising media prior to reuse", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "All media is sanitised prior to reuse." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1464", + "title": "Encrypted media", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] } @@ -751,1924 +734,1878 @@ ] }, { - "id": "guidelines_for_media_management", - "title": "Guidelines for Media Management", + "id": "guidelines_for_ict_equipment_management", + "title": "Guidelines for ICT Equipment Management", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0370-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1359-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-0323-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-0345", - "title": "External interface connections that allow Direct Memory Access", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateway_management", + "title": "Guidelines for Gateway Management", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1059", - "title": "Handling media", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1059-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "media_sanitisation", - "title": "Media sanitisation", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0357-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", - "parts": [ + "id": "control-1284", + "title": "Content validation", + "parts": [ { - "id": "control-0360-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0947", - "title": "Sanitising media prior to reuse", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "All media is sanitised prior to reuse." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-1464", - "title": "Encrypted media", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_using_cryptography", - "title": "Guidelines for Using Cryptography", - "groups": [ - { - "id": "transport_layer_security", - "title": "Transport Layer Security", - "controls": [ + }, { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-1054-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", - "parts": [ - { - "id": "control-1468-stmt", - "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." - } - ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ - { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0142-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1091-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0505-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0506-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] - }, + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0485-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0488-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] } ] }, { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", + "id": "gateways", + "title": "Gateways", "controls": [ { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0481-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1161-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0460-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0459-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0455-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-1162-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-0465-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0467-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0469-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0496-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0497-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-0336", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0498-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0998-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "ICT equipment and media are secured when not in use." } ] - }, + } + ] + }, + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-1000-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ + }, { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0280-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0286-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] - } - ] - }, - { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", - "controls": [ + }, { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-0290-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] } ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ + }, { - "id": "web_application_development", - "title": "Web application development", + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", "controls": [ { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1552-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1240-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1424-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0971-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Software development, testing and production environments are segregated." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-1419-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_management", + "title": "Mobile device management", + "controls": [ { - "id": "control-1420", - "title": "Development environments", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1238-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0402-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Privately-owned mobile devices do not access highly classified systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0547-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0553-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-0556-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1015-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "telephone_systems", - "title": "Telephone systems", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-1078", - "title": "Telephone systems usage policy", - "parts": [ - { - "id": "control-1078-stmt", - "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." - } - ] - }, - { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0230", + "id": "control-1083", "title": "Personnel awareness", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0231-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0233-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0236-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0237-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0588-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] } @@ -2677,1733 +2614,1710 @@ ] }, { - "id": "guidelines_for_gateway_management", - "title": "Guidelines for Gateway Management", + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", "groups": [ { - "id": "firewalls", - "title": "Firewalls", + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", "controls": [ { - "id": "control-1528", - "title": "Using firewalls", - "parts": [ - { - "id": "control-1528-stmt", - "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-0639", - "title": "Using firewalls", - "parts": [ - { - "id": "control-0639-stmt", - "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." - } - ] - }, - { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", - "parts": [ - { - "id": "control-0628-stmt", - "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." - } - ] - }, - { - "id": "control-1192", - "title": "Gateway architecture and configuration", - "parts": [ - { - "id": "control-1192-stmt", - "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." - } - ] - }, - { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0631-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0634-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ + { + "id": "emanation_security", + "title": "Emanation security", + "controls": [ { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0611-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0613-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0616", - "title": "Gateway administration", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0616-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] - }, + } + ] + }, + { + "id": "cable_management", + "title": "Cable management", + "controls": [ { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1039-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-0622-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] - } - ] - }, - { - "id": "diodes", - "title": "Diodes", - "controls": [ + }, { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1157-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-0647-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1524-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-0652-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1286-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1288-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1289-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-0649-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1292-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-0677", - "title": "Data integrity", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-0677-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1293", - "title": "Encrypted data", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ + }, { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-0627-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-0635-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1522-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-0610-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "web_content_filters", - "title": "Web content filters", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0961-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1237-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-0263-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-1170-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-0959-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + } + ] + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ + { + "id": "control-0213", + "title": "Terminations to patch panels", + "parts": [ + { + "id": "control-0213-stmt", + "name": "statement", + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] - } - ] - }, - { - "id": "web_proxies", - "title": "Web proxies", - "controls": [ + }, + { + "id": "control-1094", + "title": "Patch cable and fly lead connectors", + "parts": [ + { + "id": "control-1094-stmt", + "name": "statement", + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + } + ] + }, { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "High risk suppliers and service providers are not used." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-0594-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_network_management", - "title": "Guidelines for Network Management", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1437-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1580-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1439-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1435-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ + { + "id": "control-0938", + "title": "Application selection", + "parts": [ + { + "id": "control-0938-stmt", + "name": "statement", + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0536-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1315-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-1316", - "title": "Default Service Set Identifiers", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1327-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1330-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "Users do not have the ability to install, uninstall or disable software." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-1338-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1178-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1577-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-1532-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", "parts": [ { - "id": "control-0529-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-1418", + "title": "Endpoint device control software", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1460", - "title": "Functional separation between server-side computing environments", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1460-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n• the underlying operating system running on the server is hardened\n• patches are applied to the isolation mechanism and underlying operating system in a timely manner\n• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1462", - "title": "Functional separation between server-side computing environments", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1462-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1461", - "title": "Functional separation between server-side computing environments", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1006-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1312-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-1185-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-0976", + "title": "Resetting passwords/passphrases", "parts": [ { - "id": "control-0041-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1227", + "title": "Resetting passwords/passphrases", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1055", + "title": "Password/passphrase authentication", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "Credentials are protected by ensuring:\n• passwords/passphrases expire every 12 months\n• passwords/passphrases are stored as salted hashes\n• password/passphrase stretching is implemented\n• passwords/passphrases that are compromised are revoked\n• passwords/passphrases are never sent in the clear across networks." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] } @@ -4412,3989 +4326,4075 @@ ] }, { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", "groups": [ { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", + "id": "application_development", + "title": "Application development", "controls": [ { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-0252-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Software development, testing and production environments are segregated." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-0821-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-0824-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] } ] }, { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0434", - "title": "Security clearances, briefings and user identification", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-0434-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0435", - "title": "Security clearances, briefings and user identification", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-0414", - "title": "Security clearances, briefings and user identification", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0415", - "title": "Security clearances, briefings and user identification", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-0975", - "title": "Security clearances, briefings and user identification", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-0975-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_using_cryptography", + "title": "Guidelines for Using Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-0420", - "title": "Security clearances, briefings and user identification", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1538", - "title": "Security clearances, briefings and user identification", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1538-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0405-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-1566-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-0409-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-0411-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ { - "id": "control-0816", - "title": "Standard access to systems by foreign nationals", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0816-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1507-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1508-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0445-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", + "parts": [ + { + "id": "control-0475-stmt", + "name": "statement", + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + } + ] + }, + { + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0448-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0446-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-1545", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-1545-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0078-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0854-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "Only server-initiated secure renegotiation is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0974-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1173-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1504-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1505-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1401-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1357-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, - { - "id": "control-1403", - "title": "Account lockouts", + { + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0431-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0976", - "title": "Resetting passwords/passphrases", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1227", - "title": "Resetting passwords/passphrases", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1227-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1055", - "title": "Password/passphrase authentication", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1055-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0418-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Credentials are protected by ensuring:\n• passwords/passphrases expire every 12 months\n• passwords/passphrases are stored as salted hashes\n• password/passphrase stretching is implemented\n• passwords/passphrases that are compromised are revoked\n• passwords/passphrases are never sent in the clear across networks." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] } ] }, { - "id": "operating_system_hardening", - "title": "Operating system hardening", + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", "controls": [ { - "id": "control-1407", - "title": "Operating system versions", - "parts": [ - { - "id": "control-1407-stmt", - "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." - } - ] - }, - { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-0380-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Users do not have the ability to install, uninstall or disable software." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_network_management", + "title": "Guidelines for Network Management", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-0955", - "title": "Application control", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0955-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0846-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0957-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1492-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1341-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1034-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-1416-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-1417-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-1390-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-1418", - "title": "Endpoint device control software", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-1418-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "wireless_networks", + "title": "Wireless networks", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-0938-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-1483-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1412-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1484-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1485-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-1486-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1235-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1489-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-1405-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0988-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0584-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to external media\n• user or group management\n• use of special privileges." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-0859-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "Organisation networks are segregated from service provider networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0140-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "A network device register is maintained and regularly audited." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems_management", - "title": "Guidelines for Database Systems Management", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-1269-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-1277-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1460", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n• the underlying operating system running on the server is hardened\n• patches are applied to the isolation mechanism and underlying operating system in a timely manner\n• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1462", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1461", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1260-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1262-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-1264-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Cyber security incidents are reported to the ACSC." } ] } ] }, { - "id": "databases", - "title": "Databases", + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", "controls": [ { - "id": "control-1243", - "title": "Database register", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-1243-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-1256-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-1252-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-1268-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." + } + ] + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ + { + "id": "control-0576", + "title": "Intrusion detection and prevention policy", + "parts": [ + { + "id": "control-0576-stmt", + "name": "statement", + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-1258-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems_management", + "title": "Guidelines for Database Systems Management", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ + { + "id": "control-1425", + "title": "Protecting database server contents", + "parts": [ + { + "id": "control-1425-stmt", + "name": "statement", + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-0871-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1554-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1555-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1556-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ + }, { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-1195-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0687-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1482-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-0869-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-1525", + "title": "Responsibilities", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0027", + "title": "Responsibilities", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-1526", + "title": "Responsibilities", "parts": [ { - "id": "control-0682-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0714", + "title": "Cyber security leadership", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-1478", + "title": "Responsibilities", "parts": [ { - "id": "control-1200-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1199-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-0874-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "When exporting data, protective marking checks are undertaken." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "When importing data to a system, data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1095-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "When importing data to a system, data transfer logs are fully audited at least monthly." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-1295", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1295-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "When exporting data out of a system, data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-0673", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0206-stmt", + "id": "control-0673-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "When exporting data out of a system, data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email_management", + "title": "Guidelines for Email Management", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0208", - "title": "Cable register", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0216-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0217-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] } ] }, { - "id": "cable_management", - "title": "Cable management", + "id": "email_usage", + "title": "Email usage", "controls": [ { - "id": "control-0181", - "title": "Cable standards", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-0825-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-0826-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1215-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-1539", + "title": "Email distribution lists", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1539-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-0187-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1111-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + } + ] + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ + { + "id": "control-0041", + "title": "System security plan", + "parts": [ + { + "id": "control-0041-stmt", + "name": "statement", + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-0189-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1114-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1564", + "title": "Plan of action and milestones", + "parts": [ + { + "id": "control-1564-stmt", + "name": "statement", + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ + { + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1130-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1101-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1103-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Each system’s system security plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-0434", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-0435", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1116-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-0414", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-0415", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-0975", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1122-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-0420", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1134-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1538", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-1105-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0198-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-0816", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1123-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0225-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1058-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-1545", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0222-stmt", + "id": "control-1545-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0224-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-1074-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0675-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-1187-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0678-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "When importing data to a system, data transfer logs are partially audited at least monthly." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "When importing data to a system, data transfer logs are fully audited at least monthly." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-1295", - "title": "Monitoring data import and export", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-1295-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "When exporting data out of a system, data transfer logs are partially audited at least monthly." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0673", - "title": "Monitoring data import and export", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0673-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "When exporting data out of a system, data transfer logs are fully audited at least monthly." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment_management", - "title": "Guidelines for ICT Equipment Management", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0313-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0316-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0315-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1218-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0312-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-1219-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-1221-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0318-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-1534-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1222-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "system_administration", + "title": "System administration", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1551-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0296-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ + }, { - "id": "control-0714", - "title": "Cyber security leadership", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0714-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1478", - "title": "Responsibilities", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1525", - "title": "Responsibilities", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-0027", - "title": "Responsibilities", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1526", - "title": "Responsibilities", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ + }, { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "High risk suppliers and service providers are not used." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_June_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_June_2020/catalog.json index cdd5eeb..a38d3c2 100644 --- a/ISM_catalog_profile/catalogs/ISM_June_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_June_2020/catalog.json @@ -1,748 +1,731 @@ { "catalog": { - "uuid": "9e7374b6-7c90-4a32-a8f8-7e1f86e14991", + "uuid": "2d310958-4313-4b1e-a3ee-0801fa21fddd", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:21:05.533+00:00", + "last-modified": "2022-04-28T11:45:03.971954+10:00", "version": "June_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1384-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1386-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media_management", + "title": "Guidelines for Media Management", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1472-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1494-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1495-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-0300-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0303-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1497-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1498-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1500-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-0304-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1501-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1547-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1548-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1512", - "title": "Backup storage", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1512-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1513-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email_management", - "title": "Guidelines for Email Management", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0270-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0271-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0345", + "title": "External interface connections that allow Direct Memory Access", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1539", - "title": "Email distribution lists", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1539-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0570-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-0567-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0574-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-1151-stmt", - "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." - } - ] - }, - { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0861-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1026-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-0947", + "title": "Sanitising media prior to reuse", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "All media is sanitised prior to reuse." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1464", + "title": "Encrypted media", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] } @@ -751,3520 +734,3652 @@ ] }, { - "id": "guidelines_for_media_management", - "title": "Guidelines for Media Management", + "id": "guidelines_for_ict_equipment_management", + "title": "Guidelines for ICT Equipment Management", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0370-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1359-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-0323-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-0345", - "title": "External interface connections that allow Direct Memory Access", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateway_management", + "title": "Guidelines for Gateway Management", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1059", - "title": "Handling media", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1059-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "media_sanitisation", - "title": "Media sanitisation", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0357-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", - "parts": [ + "id": "control-1284", + "title": "Content validation", + "parts": [ { - "id": "control-0360-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0947", - "title": "Sanitising media prior to reuse", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "All media is sanitised prior to reuse." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-1464", - "title": "Encrypted media", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_using_cryptography", - "title": "Guidelines for Using Cryptography", - "groups": [ - { - "id": "transport_layer_security", - "title": "Transport Layer Security", - "controls": [ + }, { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-1054-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", - "parts": [ - { - "id": "control-1468-stmt", - "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." - } - ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ - { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0142-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1091-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0505-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0506-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] - }, + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0485-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0488-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] } ] }, { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", + "id": "gateways", + "title": "Gateways", "controls": [ { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0481-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1161-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0460-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0459-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0455-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-1162-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-0465-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0467-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0469-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + } + ] + }, + { + "id": "control-0619", + "title": "Gateway authentication", + "parts": [ + { + "id": "control-0619-stmt", + "name": "statement", + "prose": "Users and services accessing networks through gateways are authenticated." + } + ] + }, + { + "id": "control-0620", + "title": "Gateway authentication", + "parts": [ + { + "id": "control-0620-stmt", + "name": "statement", + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + } + ] + }, + { + "id": "control-1039", + "title": "Gateway authentication", + "parts": [ + { + "id": "control-1039-stmt", + "name": "statement", + "prose": "Multi-factor authentication is used for access to gateways." + } + ] + }, + { + "id": "control-0622", + "title": "ICT equipment authentication", + "parts": [ + { + "id": "control-0622-stmt", + "name": "statement", + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", "controls": [ { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-0336", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0494-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0496-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-1233-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "ICT equipment and media are secured when not in use." + } + ] + } + ] + }, + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ + { + "id": "control-0810", + "title": "Facilities containing systems", + "parts": [ + { + "id": "control-0810-stmt", + "name": "statement", + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0998-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-1000-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + } + ] + }, + { + "id": "control-0164", + "title": "Preventing observation by unauthorised people", + "parts": [ + { + "id": "control-0164-stmt", + "name": "statement", + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] } ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ + }, { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", "controls": [ { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0280-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + } + ] + }, + { + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", + "parts": [ + { + "id": "control-1058-stmt", + "name": "statement", + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + } + ] + }, + { + "id": "control-0222", + "title": "Infrared keyboards", + "parts": [ + { + "id": "control-0222-stmt", + "name": "statement", + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + } + ] + }, + { + "id": "control-0223", + "title": "Infrared keyboards", + "parts": [ + { + "id": "control-0223-stmt", + "name": "statement", + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + } + ] + }, + { + "id": "control-0224", + "title": "Infrared keyboards", + "parts": [ + { + "id": "control-0224-stmt", + "name": "statement", + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + } + ] + }, + { + "id": "control-0221", + "title": "Wireless RF pointing devices", + "parts": [ + { + "id": "control-0221-stmt", + "name": "statement", + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-1533", + "title": "Mobile device management policy", + "parts": [ + { + "id": "control-1533-stmt", + "name": "statement", + "prose": "A mobile device management policy is developed and implemented." + } + ] + }, + { + "id": "control-1195", + "title": "Mobile device management policy", + "parts": [ + { + "id": "control-1195-stmt", + "name": "statement", + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + } + ] + }, + { + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0290-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Privately-owned mobile devices do not access highly classified systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-1240-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0971-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Software development, testing and production environments are segregated." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1238-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-0401-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0546-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0547-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0553-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1014-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0549-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-1015-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0558-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1450-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1019-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] - }, + } + ] + }, + { + "id": "evaluated_product_usage", + "title": "Evaluated product usage", + "controls": [ { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0236-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0237-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", - "parts": [ - { - "id": "control-0588-stmt", - "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." - } - ] - }, - { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1092-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0241-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0245-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0589-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-1036-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] - } - ] - }, - { - "id": "guidelines_for_gateway_management", - "title": "Guidelines for Gateway Management", - "groups": [ + }, { - "id": "firewalls", - "title": "Firewalls", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0639-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-0642-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ + }, { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-0628-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1427-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-0611-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-0613-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-0616", - "title": "Gateway administration", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-0616-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-0629-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-0620-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1039-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-0622-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] - } - ] - }, - { - "id": "diodes", - "title": "Diodes", - "controls": [ + }, { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1157-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-0646-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-0659-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-0652-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + } + ] + } + ] + }, + { + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", + "controls": [ + { + "id": "control-0201", + "title": "Conduit label specifications", + "parts": [ + { + "id": "control-0201-stmt", + "name": "statement", + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1290-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-0649-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-0677", - "title": "Data integrity", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-0677-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-1293", - "title": "Encrypted data", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-1293-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "cable_patching", + "title": "Cable patching", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0626-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0635-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1521-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ + { + "id": "control-0100", + "title": "Outsourced gateway services", + "parts": [ + { + "id": "control-0100-stmt", + "name": "statement", + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1395", + "title": "Using outsourced information technology and cloud services", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-1529", + "title": "Using outsourced information technology and cloud services", "parts": [ { - "id": "control-0610-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0873", + "title": "Foreign owned service providers and offshore services", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0873-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-0072", + "title": "Contractual arrangements", "parts": [ { - "id": "control-0961-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1073", + "title": "Contractual arrangements", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1451", + "title": "Data ownership", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0958-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0960-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1236-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "Web browsers are configured to block web advertisements." } ] - } - ] - }, - { - "id": "web_proxies", - "title": "Web proxies", - "controls": [ + }, { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0258-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0594-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] } ] - } - ] - }, - { - "id": "guidelines_for_network_management", - "title": "Guidelines for Network Management", - "groups": [ + }, { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", + "id": "operating_system_hardening", + "title": "Operating system hardening", "controls": [ { - "id": "control-1458", - "title": "Determining essential online services", - "parts": [ - { - "id": "control-1458-stmt", - "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." - } - ] - }, - { - "id": "control-1431", - "title": "Service provider denial of service strategies", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred by customers resulting from denial-of-service attacks\n• thresholds for notifying customers or turning off their online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." + "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-1433", - "title": "Establishing contact details with service providers", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1434", - "title": "Establishing contact details with service providers", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1437-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks and denial of service mitigation services", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-1438-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "Users do not have the ability to install, uninstall or disable software." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks and denial of service mitigation services", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1441", - "title": "Using content delivery networks and denial of service mitigation services", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0536-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1315-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1316", - "title": "Default Service Set Identifiers", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1317-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-1318-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1418", + "title": "Endpoint device control software", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1330-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1335-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network documentation", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0516-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, - { - "id": "control-1181", - "title": "Network segmentation and segregation", + { + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-0976", + "title": "Resetting passwords/passphrases", "parts": [ { - "id": "control-0521-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-1227", + "title": "Resetting passwords/passphrases", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1055", + "title": "Password/passphrase authentication", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Credentials are protected by ensuring:\n• passwords/passphrases expire every 12 months\n• passwords/passphrases are stored as salted hashes\n• password/passphrase stretching is implemented\n• passwords/passphrases that are compromised are revoked\n• passwords/passphrases are never sent in the clear across networks." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1182-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-1301-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1304-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Software development, testing and production environments are segregated." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1460", - "title": "Functional separation between server-side computing environments", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1460-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n• the underlying operating system running on the server is hardened\n• patches are applied to the isolation mechanism and underlying operating system in a timely manner\n• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1462", - "title": "Functional separation between server-side computing environments", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1461", - "title": "Functional separation between server-side computing environments", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1185-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] } @@ -4273,1412 +4388,1440 @@ ] }, { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", + "id": "guidelines_for_using_cryptography", + "title": "Guidelines for Using Cryptography", "groups": [ { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ - { - "id": "control-0041", - "title": "System security plan", - "parts": [ - { - "id": "control-0041-stmt", - "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." - } - ] - }, + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1163-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ + }, { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0252-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1565-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0821-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-0824-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0434", - "title": "Security clearances, briefings and user identification", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0435", - "title": "Security clearances, briefings and user identification", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-0414", - "title": "Security clearances, briefings and user identification", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0414-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-0415", - "title": "Security clearances, briefings and user identification", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-0415-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-0975", - "title": "Security clearances, briefings and user identification", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0420", - "title": "Security clearances, briefings and user identification", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-1538", - "title": "Security clearances, briefings and user identification", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1538-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-0816", - "title": "Standard access to systems by foreign nationals", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0816-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0448-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1545", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1545-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-0854-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1173-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1357-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1558-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_network_management", + "title": "Guidelines for Network Management", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1458", + "title": "Determining essential online services", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0976", - "title": "Resetting passwords/passphrases", + "id": "control-1431", + "title": "Service provider denial of service strategies", "parts": [ { - "id": "control-0976-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred by customers resulting from denial-of-service attacks\n• thresholds for notifying customers or turning off their online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-1227", - "title": "Resetting passwords/passphrases", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-1227-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-1055", - "title": "Password/passphrase authentication", + "id": "control-1433", + "title": "Establishing contact details with service providers", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1434", + "title": "Establishing contact details with service providers", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Credentials are protected by ensuring:\n• passwords/passphrases expire every 12 months\n• passwords/passphrases are stored as salted hashes\n• password/passphrase stretching is implemented\n• passwords/passphrases that are compromised are revoked\n• passwords/passphrases are never sent in the clear across networks." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0428-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0408-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "A cloud service provider is used for hosting online services." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-1438", + "title": "Using content delivery networks and denial of service mitigation services", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-1439", + "title": "Using content delivery networks and denial of service mitigation services", "parts": [ { - "id": "control-1408-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-1441", + "title": "Using content delivery networks and denial of service mitigation services", "parts": [ { - "id": "control-1409-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-1491-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Users do not have the ability to install, uninstall or disable software." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0955-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0846-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0957-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-1492-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-1341-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-1034-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1416-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1417-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1390-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1418", - "title": "Endpoint device control software", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1418-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "network_design_and_configuration", + "title": "Network design and configuration", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1483-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1412-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1484-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1486-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1235-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1489-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, + { + "id": "control-0520", + "title": "Network access controls", + "parts": [ + { + "id": "control-0520-stmt", + "name": "statement", + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + } + ] + }, + { + "id": "control-1182", + "title": "Network access controls", + "parts": [ + { + "id": "control-1182-stmt", + "name": "statement", + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + } + ] + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-1405-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to external media\n• user or group management\n• use of special privileges." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-1460", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n• the underlying operating system running on the server is hardened\n• patches are applied to the isolation mechanism and underlying operating system in a timely manner\n• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1462", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-1461", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0586-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + } + ] + }, + { + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", + "parts": [ + { + "id": "control-1185-stmt", + "name": "statement", + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] } @@ -5821,225 +5964,98 @@ "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0120-stmt", - "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems_management", - "title": "Guidelines for Database Systems Management", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ - { - "id": "control-1425", - "title": "Protecting database server contents", - "parts": [ - { - "id": "control-1425-stmt", - "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." - } - ] - }, - { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", - "parts": [ - { - "id": "control-1269-stmt", - "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." - } - ] - }, - { - "id": "control-1277", - "title": "Communications between database servers and web servers", - "parts": [ - { - "id": "control-1277-stmt", - "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." - } - ] - }, - { - "id": "control-1270", - "title": "Network environment", - "parts": [ - { - "id": "control-1270-stmt", - "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." - } - ] - }, - { - "id": "control-1271", - "title": "Network environment", - "parts": [ - { - "id": "control-1271-stmt", - "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." - } - ] - }, - { - "id": "control-1272", - "title": "Network environment", - "parts": [ - { - "id": "control-1272-stmt", - "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." - } - ] - }, - { - "id": "control-1273", - "title": "Separation of production, test and development database servers", - "parts": [ - { - "id": "control-1273-stmt", - "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." - } - ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ - { - "id": "control-1245", - "title": "Temporary installation files and logs", - "parts": [ - { - "id": "control-1245-stmt", - "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." - } - ] - }, - { - "id": "control-1246", - "title": "Hardening and configuration", - "parts": [ - { - "id": "control-1246-stmt", - "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." - } - ] - }, - { - "id": "control-1247", - "title": "Hardening and configuration", - "parts": [ - { - "id": "control-1247-stmt", - "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." - } - ] - }, - { - "id": "control-1249", - "title": "Restricting privileges", - "parts": [ - { - "id": "control-1249-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems_management", + "title": "Guidelines for Database Systems Management", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Test and development environments do not use the same database servers as production environments." } ] } @@ -6171,2076 +6187,2060 @@ ] } ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ + }, { - "id": "mobile_device_usage", - "title": "Mobile device usage", + "id": "database_management_system_software", + "title": "Database management system software", "controls": [ { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-1554-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-1525", + "title": "Responsibilities", "parts": [ { - "id": "control-1555-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-0027", + "title": "Responsibilities", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-1526", + "title": "Responsibilities", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0714", + "title": "Cyber security leadership", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-1478", + "title": "Responsibilities", "parts": [ { - "id": "control-1556-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1533-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-0869-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "When importing data to a system, data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "When importing data to a system, data transfer logs are fully audited at least monthly." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-1295", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1198-stmt", + "id": "control-1295-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "When exporting data out of a system, data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-0673", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1199-stmt", + "id": "control-0673-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "When exporting data out of a system, data transfer logs are fully audited at least monthly." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_email_management", + "title": "Guidelines for Email Management", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ + { + "id": "control-0569", + "title": "Centralised email gateways", + "parts": [ + { + "id": "control-0569-stmt", + "name": "statement", + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0874-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "A hard fail SPF record is used when specifying email servers." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0201-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-0208-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-0211-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] } ] }, { - "id": "cable_patching", - "title": "Cable patching", + "id": "email_usage", + "title": "Email usage", "controls": [ { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-0217-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", - "parts": [ - { - "id": "control-0218-stmt", - "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." - } - ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ - { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1539", + "title": "Email distribution lists", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1539-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0249-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-0246-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-0250-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] } ] }, { - "id": "cable_management", - "title": "Cable management", + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", "controls": [ { - "id": "control-0181", - "title": "Cable standards", - "parts": [ - { - "id": "control-0181-stmt", - "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." - } - ] - }, - { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-0825-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, - { - "id": "control-1126", - "title": "Inspecting cables", + { + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0184-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-0187-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1111-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-0189-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Each system’s system security plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0434", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-0435", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-0414", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1130-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-0415", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1164-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0975", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0420", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1538", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-1101-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1116-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-0816", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1134-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1106-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1107-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1545", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1545-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1123-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0161-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1543-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0225-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0829-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-1058-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1530-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0663-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0661-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0665-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1294-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "When importing data to a system, data transfer logs are partially audited at least monthly." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "When importing data to a system, data transfer logs are fully audited at least monthly." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1295", - "title": "Monitoring data import and export", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1295-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "When exporting data out of a system, data transfer logs are partially audited at least monthly." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0673", - "title": "Monitoring data import and export", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0673-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "When exporting data out of a system, data transfer logs are fully audited at least monthly." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment_management", - "title": "Guidelines for ICT Equipment Management", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, - { - "id": "control-1225", - "title": "Sanitising fax machines", + { + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", - "parts": [ - { - "id": "control-0296-stmt", - "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ - { - "id": "control-0714", - "title": "Cyber security leadership", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1478", - "title": "Responsibilities", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1525", - "title": "Responsibilities", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0027", - "title": "Responsibilities", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1526", - "title": "Responsibilities", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1526-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1395", - "title": "Using outsourced information technology and cloud services", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1529", - "title": "Using outsourced information technology and cloud services", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-0873", - "title": "Foreign owned service providers and offshore services", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0873-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-0072", - "title": "Contractual arrangements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1073", - "title": "Contractual arrangements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1073-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1451", - "title": "Data ownership", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_March_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_March_2020/catalog.json index b178fb3..83316e5 100644 --- a/ISM_catalog_profile/catalogs/ISM_March_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_March_2020/catalog.json @@ -1,748 +1,759 @@ { "catalog": { - "uuid": "ba6d5d7a-d6e8-49f0-80cd-22d07cc9fa8f", + "uuid": "68021ed1-40dd-45f6-94a0-57350df0e26f", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:21:18.413+00:00", + "last-modified": "2022-04-28T11:45:31.575574+10:00", "version": "March_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "vulnerability_management", + "title": "Vulnerability management", "controls": [ { - "id": "control-0042", - "title": "System administration", + "id": "control-1163", + "title": "Vulnerability management", "parts": [ { - "id": "control-0042-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "A vulnerability management policy is developed and implemented that includes:\n§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities\n§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n§ using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1380", - "title": "System administration", + "id": "control-0911", + "title": "Vulnerability management", "parts": [ { - "id": "control-1380-stmt", + "id": "control-0911-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "Vulnerability assessments and penetration tests are conducted by suitably skilled personnel before a system is deployed, after a significant change to a system, and at least annually or as specified by the system owner." } ] - }, + } + ] + }, + { + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", + "controls": [ { - "id": "control-1382", - "title": "System administration", + "id": "control-0580", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1381", - "title": "System administration", + "id": "control-1405", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1381-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1383", - "title": "System administration", + "id": "control-0988", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1384", - "title": "System administration", + "id": "control-0584", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1385", - "title": "System administration", + "id": "control-0582", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1385-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for operating systems:\n§ access to important data and processes\n§ application crashes and any error messages\n§ attempts to use special privileges\n§ changes to accounts\n§ changes to security policy\n§ changes to system configurations\n§ Domain Name System (DNS) and Hypertext Transfer Protocol requests\n§ failed attempts to access data and system resources\n§ service failures and restarts\n§ system startup and shutdown\n§ transfer of data to external media\n§ user or group management\n§ use of special privileges." } ] }, { - "id": "control-1386", - "title": "System administration", + "id": "control-1536", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for web applications:\n§ attempted access that is denied\n§ crashes and any error messages\n§ search queries initiated by users." } ] }, { - "id": "control-1387", - "title": "System administration", + "id": "control-1537", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1387-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "The following events are logged for databases:\n§ access to particularly important information\n§ addition of new users, especially privileged users\n§ any query containing comments\n§ any query containing multiple embedded queries\n§ any query or database alerts or failures\n§ attempts to elevate privileges\n§ attempted access that is successful or unsuccessful\n§ changes to the database structure\n§ changes to user roles or database permissions\n§ database administrator actions\n§ database logons and logoffs\n§ modifications to data\n§ use of executable commands." } ] }, { - "id": "control-1388", - "title": "System administration", + "id": "control-0585", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management", + "id": "control-0586", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n§ identification and documentation of requests for change\n§ approval required for changes to be made\n§ implementation and testing of approved changes\n§ the maintenance of system and security documentation." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "System patching", + "id": "control-0859", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] }, { - "id": "control-1493", - "title": "System patching", + "id": "control-0991", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1144", - "title": "System patching", + "id": "control-0109", + "title": "Event logging and auditing", "parts": [ { - "id": "control-1144-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-0940", - "title": "System patching", + "id": "control-1228", + "title": "Event logging and auditing", "parts": [ { - "id": "control-0940-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media_management", + "title": "Guidelines for Media Management", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1472", - "title": "System patching", + "id": "control-0363", + "title": "Media destruction", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1494", - "title": "System patching", + "id": "control-0350", + "title": "Media destruction", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n§ microfiche and microfilm\n§ optical discs\n§ programmable read-only memory\n§ read-only memory\n§ other types of media that cannot be sanitised\n§ faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1495", - "title": "System patching", + "id": "control-1361", + "title": "Media destruction", "parts": [ { - "id": "control-1495-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1496", - "title": "System patching", + "id": "control-1160", + "title": "Media destruction", "parts": [ { - "id": "control-1496-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." } ] }, { - "id": "control-0300", - "title": "System patching", + "id": "control-1517", + "title": "Media destruction", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0298", - "title": "System patching", + "id": "control-0366", + "title": "Media destruction", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0303", - "title": "System patching", + "id": "control-0368", + "title": "Media destruction", "parts": [ { - "id": "control-0303-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1497", - "title": "System patching", + "id": "control-0361", + "title": "Media destruction", "parts": [ { - "id": "control-1497-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1498", - "title": "System patching", + "id": "control-0838", + "title": "Media destruction", "parts": [ { - "id": "control-1498-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1499", - "title": "System patching", + "id": "control-0362", + "title": "Media destruction", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1500", - "title": "System patching", + "id": "control-0370", + "title": "Media destruction", "parts": [ { - "id": "control-1500-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0304", - "title": "System patching", + "id": "control-0371", + "title": "Media destruction", "parts": [ { - "id": "control-0304-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1501", - "title": "System patching", + "id": "control-0372", + "title": "Media destruction", "parts": [ { - "id": "control-1501-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Data backup and restoration", + "id": "control-0373", + "title": "Media destruction", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration", + "id": "control-0840", + "title": "Media destruction", "parts": [ { - "id": "control-1547-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration", + "id": "control-0839", + "title": "Media destruction", "parts": [ { - "id": "control-1548-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + } + ] + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ + { + "id": "control-0374", + "title": "Media disposal", + "parts": [ + { + "id": "control-0374-stmt", + "name": "statement", + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1511", - "title": "Data backup and restoration", + "id": "control-0375", + "title": "Media disposal", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1512", - "title": "Data backup and restoration", + "id": "control-0378", + "title": "Media disposal", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + } + ] + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ + { + "id": "control-1549", + "title": "Media usage", + "parts": [ + { + "id": "control-1549-stmt", + "name": "statement", + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1513", - "title": "Data backup and restoration", + "id": "control-1359", + "title": "Media usage", "parts": [ { - "id": "control-1513-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1514", - "title": "Data backup and restoration", + "id": "control-0323", + "title": "Media usage", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1515", - "title": "Data backup and restoration", + "id": "control-0325", + "title": "Media usage", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1516", - "title": "Data backup and restoration", + "id": "control-0331", + "title": "Media usage", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email_management", - "title": "Guidelines for Email Management", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage", + "id": "control-0330", + "title": "Media usage", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0267", - "title": "Email usage", + "id": "control-0332", + "title": "Media usage", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0270", - "title": "Email usage", + "id": "control-0337", + "title": "Media usage", "parts": [ { - "id": "control-0270-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-0271", - "title": "Email usage", + "id": "control-0341", + "title": "Media usage", "parts": [ { - "id": "control-0271-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0272", - "title": "Email usage", + "id": "control-0342", + "title": "Media usage", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1089", - "title": "Email usage", + "id": "control-0343", + "title": "Media usage", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-0565", - "title": "Email usage", + "id": "control-0345", + "title": "Media usage", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-1023", - "title": "Email usage", + "id": "control-0831", + "title": "Media usage", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-0269", - "title": "Email usage", + "id": "control-1059", + "title": "Media usage", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1539", - "title": "Email usage", + "id": "control-0347", + "title": "Media usage", "parts": [ { - "id": "control-1539-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0569", - "title": "Email gateways and servers", + "id": "control-0348", + "title": "Media sanitisation", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0571", - "title": "Email gateways and servers", + "id": "control-0351", + "title": "Media sanitisation", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0570", - "title": "Email gateways and servers", + "id": "control-0352", + "title": "Media sanitisation", "parts": [ { - "id": "control-0570-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0567", - "title": "Email gateways and servers", + "id": "control-0835", + "title": "Media sanitisation", "parts": [ { - "id": "control-0567-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." - } - ] - }, - { - "id": "control-0572", - "title": "Email gateways and servers", - "parts": [ - { - "id": "control-0572-stmt", - "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0574", - "title": "Email gateways and servers", + "id": "control-1065", + "title": "Media sanitisation", "parts": [ { - "id": "control-0574-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1183", - "title": "Email gateways and servers", + "id": "control-0354", + "title": "Media sanitisation", "parts": [ { - "id": "control-1183-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1151", - "title": "Email gateways and servers", + "id": "control-1067", + "title": "Media sanitisation", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1152", - "title": "Email gateways and servers", + "id": "control-0356", + "title": "Media sanitisation", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0861", - "title": "Email gateways and servers", + "id": "control-0357", + "title": "Media sanitisation", "parts": [ { - "id": "control-0861-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1026", - "title": "Email gateways and servers", + "id": "control-0836", + "title": "Media sanitisation", "parts": [ { - "id": "control-1026-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1027", - "title": "Email gateways and servers", + "id": "control-0358", + "title": "Media sanitisation", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1540", - "title": "Email gateways and servers", + "id": "control-0359", + "title": "Media sanitisation", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1234", - "title": "Email gateways and servers", + "id": "control-0360", + "title": "Media sanitisation", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1502", - "title": "Email gateways and servers", + "id": "control-0947", + "title": "Media sanitisation", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "All media is sanitised prior to reuse." } ] }, { - "id": "control-1024", - "title": "Email gateways and servers", + "id": "control-1464", + "title": "Media sanitisation", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed." } ] } @@ -751,1281 +762,1254 @@ ] }, { - "id": "guidelines_for_media_management", - "title": "Guidelines for Media Management", + "id": "guidelines_for_ict_equipment_management", + "title": "Guidelines for ICT Equipment Management", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", "controls": [ { - "id": "control-0363", - "title": "Media destruction", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0350", - "title": "Media destruction", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n§ microfiche and microfilm\n§ optical discs\n§ programmable read-only memory\n§ read-only memory\n§ other types of media that cannot be sanitised\n§ faulty media that cannot be successfully sanitised." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1361", - "title": "Media destruction", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1160", - "title": "Media destruction", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1517", - "title": "Media destruction", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0366", - "title": "Media destruction", + "id": "control-0315", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-0368", - "title": "Media destruction", + "id": "control-1218", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0361", - "title": "Media destruction", + "id": "control-0312", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0838", - "title": "Media destruction", + "id": "control-0317", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0362", - "title": "Media destruction", + "id": "control-1219", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0370", - "title": "Media destruction", + "id": "control-1220", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0370-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0371", - "title": "Media destruction", + "id": "control-1221", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0372", - "title": "Media destruction", + "id": "control-0318", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0373", - "title": "Media destruction", + "id": "control-1534", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0840", - "title": "Media destruction", + "id": "control-1076", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0839", - "title": "Media destruction", + "id": "control-1222", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media usage", + "id": "control-1223", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n§ following device-specific guidance provided by the ACSC\n§ following vendor sanitisation guidance\n§ loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1359", - "title": "Media usage", - "parts": [ + "id": "control-1225", + "title": "ICT equipment sanitisation and disposal", + "parts": [ { - "id": "control-1359-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0323", - "title": "Media usage", + "id": "control-1226", + "title": "ICT equipment sanitisation and disposal", "parts": [ { - "id": "control-0323-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0325", - "title": "Media usage", + "id": "control-1079", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0331", - "title": "Media usage", + "id": "control-0305", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0330", - "title": "Media usage", + "id": "control-0307", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0332", - "title": "Media usage", + "id": "control-0306", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n§ is appropriately cleared and briefed\n§ takes due care to ensure that information is not disclosed\n§ takes all responsible measures to ensure the integrity of the ICT equipment\n§ has the authority to direct the technician\n§ is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0337", - "title": "Media usage", + "id": "control-0310", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0341", - "title": "Media usage", + "id": "control-0944", + "title": "ICT equipment maintenance and repairs", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-0342", - "title": "Media usage", + "id": "control-1551", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-0343", - "title": "Media usage", + "id": "control-0293", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-0345", - "title": "Media usage", + "id": "control-0294", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0831", - "title": "Media usage", + "id": "control-0296", + "title": "ICT equipment usage", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateway_management", + "title": "Guidelines for Gateway Management", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1059", - "title": "Media usage", + "id": "control-1528", + "title": "Firewalls", "parts": [ { - "id": "control-1059-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0347", - "title": "Media usage", + "id": "control-0639", + "title": "Firewalls", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal", + "id": "control-1194", + "title": "Firewalls", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-0375", - "title": "Media disposal", + "id": "control-0641", + "title": "Firewalls", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0378", - "title": "Media disposal", + "id": "control-0642", + "title": "Firewalls", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "media_sanitisation", - "title": "Media sanitisation", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-0348", - "title": "Media sanitisation", + "id": "control-0643", + "title": "Diodes", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0351", - "title": "Media sanitisation", + "id": "control-0645", + "title": "Diodes", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0352", - "title": "Media sanitisation", + "id": "control-1157", + "title": "Diodes", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0835", - "title": "Media sanitisation", + "id": "control-1158", + "title": "Diodes", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1065", - "title": "Media sanitisation", + "id": "control-0646", + "title": "Diodes", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0354", - "title": "Media sanitisation", + "id": "control-0647", + "title": "Diodes", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1067", - "title": "Media sanitisation", + "id": "control-0648", + "title": "Diodes", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-0356", - "title": "Media sanitisation", + "id": "control-0626", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0357", - "title": "Media sanitisation", + "id": "control-0597", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0836", - "title": "Media sanitisation", + "id": "control-0627", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0358", - "title": "Media sanitisation", + "id": "control-0635", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0359", - "title": "Media sanitisation", + "id": "control-1521", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0360", - "title": "Media sanitisation", + "id": "control-1522", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0360-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-0947", - "title": "Media sanitisation", + "id": "control-0670", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "All media is sanitised prior to reuse." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-1464", - "title": "Media sanitisation", + "id": "control-1523", + "title": "Cross Domain Solutions", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Where a Consumer Guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the Consumer Guide are followed." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + } + ] + }, + { + "id": "control-0610", + "title": "Cross Domain Solutions", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] } ] - } - ] - }, - { - "id": "guidelines_for_using_cryptography", - "title": "Guidelines for Using Cryptography", - "groups": [ + }, { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-1139", - "title": "Transport Layer Security", + "id": "control-0591", + "title": "Peripheral switches", "parts": [ { - "id": "control-1139-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1369", - "title": "Transport Layer Security", + "id": "control-1480", + "title": "Peripheral switches", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1370", - "title": "Transport Layer Security", + "id": "control-1457", + "title": "Peripheral switches", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1372", - "title": "Transport Layer Security", + "id": "control-0593", + "title": "Peripheral switches", "parts": [ { - "id": "control-1372-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1448", - "title": "Transport Layer Security", + "id": "control-0594", + "title": "Peripheral switches", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "web_content_and_connections", + "title": "Web content and connections", + "controls": [ { - "id": "control-1373", - "title": "Transport Layer Security", + "id": "control-0258", + "title": "Web content and connections", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1374", - "title": "Transport Layer Security", + "id": "control-0260", + "title": "Web content and connections", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1375", - "title": "Transport Layer Security", + "id": "control-0261", + "title": "Web content and connections", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n§ address (uniform resource locator)\n§ time/date\n§ user\n§ amount of data uploaded and downloaded\n§ internal and external IP addresses." } ] }, { - "id": "control-1553", - "title": "Transport Layer Security", + "id": "control-0263", + "title": "Web content and connections", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n§ a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n§ a whitelist of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1453", - "title": "Transport Layer Security", + "id": "control-0996", + "title": "Web content and connections", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0958", + "title": "Web content and connections", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." + "prose": "A whitelist of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0994", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1170", + "title": "Web content and connections", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "If a whitelist of allowed websites is not implemented, a whitelist of allowed website categories is implemented instead." } ] }, { - "id": "control-0472", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0959", + "title": "Web content and connections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "If website whitelisting is not implemented, website blacklisting is implemented instead." } ] }, { - "id": "control-0473", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0960", + "title": "Web content and connections", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "If website blacklisting is implemented, the website blacklist is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1446", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1171", + "title": "Web content and connections", "parts": [ { - "id": "control-1446-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0474", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1236", + "title": "Web content and connections", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] }, { - "id": "control-0475", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0963", + "title": "Web content and connections", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0476", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0961", + "title": "Web content and connections", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Client-side active content, such as Java, is restricted to a whitelist of allowed websites." } ] }, { - "id": "control-0477", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1237", + "title": "Web content and connections", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-1054", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0628", + "title": "Gateways", "parts": [ { - "id": "control-1054-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0479", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1192", + "title": "Gateways", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0480", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0631", + "title": "Gateways", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Gateways:\n§ are the only communications paths into and out of internal networks\n§ allow only explicitly authorised connections\n§ are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n§ are protected by authentication, logging and auditing of all physical and logical access to gateway components\n§ have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-1232", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-1427", + "title": "Gateways", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1468", - "title": "ASD Approved Cryptographic Algorithms", + "id": "control-0634", + "title": "Gateways", "parts": [ { - "id": "control-1468-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n§ log network traffic permitted through the gateway\n§ log network traffic attempting to leave the gateway\n§ are configured to save event logs to a secure logging facility\n§ provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Cryptographic system management", + "id": "control-0637", + "title": "Gateways", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0142", - "title": "Cryptographic system management", + "id": "control-1037", + "title": "Gateways", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-1091", - "title": "Cryptographic system management", + "id": "control-0611", + "title": "Gateways", "parts": [ { - "id": "control-1091-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0499", - "title": "Cryptographic system management", + "id": "control-0612", + "title": "Gateways", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0505", - "title": "Cryptographic system management", + "id": "control-1520", + "title": "Gateways", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0506", - "title": "Cryptographic system management", + "id": "control-0613", + "title": "Gateways", "parts": [ { - "id": "control-0506-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Secure Shell", + "id": "control-0616", + "title": "Gateways", "parts": [ { - "id": "control-1506-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0484", - "title": "Secure Shell", + "id": "control-0629", + "title": "Gateways", "parts": [ { - "id": "control-0484-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0485", - "title": "Secure Shell", + "id": "control-0607", + "title": "Gateways", "parts": [ { - "id": "control-0485-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-1449", - "title": "Secure Shell", + "id": "control-0619", + "title": "Gateways", "parts": [ { - "id": "control-1449-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0487", - "title": "Secure Shell", + "id": "control-0620", + "title": "Gateways", "parts": [ { - "id": "control-0487-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n§ access from IP addresses that do not require access\n§ port forwarding\n§ agent credential forwarding\n§ X11 display remoting\n§ console access." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0488", - "title": "Secure Shell", + "id": "control-1039", + "title": "Gateways", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0489", - "title": "Secure Shell", + "id": "control-0622", + "title": "Gateways", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", "controls": [ { - "id": "control-0481", - "title": "ASD Approved Cryptographic Protocols", + "id": "control-0336", + "title": "ICT equipment and media", "parts": [ { - "id": "control-0481-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Secure/Multipurpose Internet Mail Extension", + "id": "control-0159", + "title": "ICT equipment and media", "parts": [ { - "id": "control-0490-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "All ICT equipment and media are accounted for on a regular basis." + } + ] + }, + { + "id": "control-0161", + "title": "ICT equipment and media", + "parts": [ + { + "id": "control-0161-stmt", + "name": "statement", + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-1161", - "title": "Cryptographic fundamentals", + "id": "control-0810", + "title": "Facilities and systems", "parts": [ { - "id": "control-1161-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0457", - "title": "Cryptographic fundamentals", + "id": "control-1053", + "title": "Facilities and systems", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0460", - "title": "Cryptographic fundamentals", + "id": "control-1530", + "title": "Facilities and systems", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0459", - "title": "Cryptographic fundamentals", + "id": "control-0813", + "title": "Facilities and systems", "parts": [ { - "id": "control-0459-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0461", - "title": "Cryptographic fundamentals", + "id": "control-1074", + "title": "Facilities and systems", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-1080", - "title": "Cryptographic fundamentals", + "id": "control-0157", + "title": "Facilities and systems", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-0455", - "title": "Cryptographic fundamentals", + "id": "control-1296", + "title": "Facilities and systems", "parts": [ { - "id": "control-0455-stmt", - "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." - } - ] - }, - { - "id": "control-0462", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-0462-stmt", - "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." - } - ] - }, - { - "id": "control-1162", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-1162-stmt", - "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." - } - ] - }, - { - "id": "control-0465", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-0465-stmt", - "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." - } - ] - }, - { - "id": "control-0467", - "title": "Cryptographic fundamentals", - "parts": [ - { - "id": "control-0467-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0469", - "title": "Cryptographic fundamentals", + "id": "control-0164", + "title": "Facilities and systems", "parts": [ { - "id": "control-0469-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] } ] }, { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", "controls": [ { - "id": "control-0494", - "title": "Internet Protocol Security", - "parts": [ - { - "id": "control-0494-stmt", - "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." - } - ] - }, - { - "id": "control-0496", - "title": "Internet Protocol Security", + "id": "control-1543", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1233", - "title": "Internet Protocol Security", + "id": "control-0225", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-1233-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0497", - "title": "Internet Protocol Security", + "id": "control-0829", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0497-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0498", - "title": "Internet Protocol Security", + "id": "control-1058", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0998", - "title": "Internet Protocol Security", + "id": "control-0222", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0998-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0999", - "title": "Internet Protocol Security", + "id": "control-0223", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1000", - "title": "Internet Protocol Security", + "id": "control-0224", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-1000-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-1001", - "title": "Internet Protocol Security", + "id": "control-0221", + "title": "Wireless devices and Radio Frequency transmitters", "parts": [ { - "id": "control-1001-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } @@ -2034,3253 +2018,3292 @@ ] }, { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", "groups": [ { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0280", - "title": "Evaluated product acquisition", + "id": "control-1533", + "title": "Mobile device management", "parts": [ { - "id": "control-0280-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0285", - "title": "Evaluated product acquisition", + "id": "control-1195", + "title": "Mobile device management", "parts": [ { - "id": "control-0285-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-0286", - "title": "Evaluated product acquisition", - "parts": [ - { - "id": "control-0286-stmt", - "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." - } - ] - } - ] - }, - { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", - "controls": [ - { - "id": "control-0289", - "title": "Evaluated product usage", + "id": "control-0687", + "title": "Mobile device management", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-0290", - "title": "Evaluated product usage", + "id": "control-1400", + "title": "Mobile device management", "parts": [ { - "id": "control-0290-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0292", - "title": "Evaluated product usage", + "id": "control-0694", + "title": "Mobile device management", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Privately-owned mobile devices do not access highly classified systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application development", + "id": "control-1297", + "title": "Mobile device management", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." } ] }, { - "id": "control-1552", - "title": "Web application development", + "id": "control-1482", + "title": "Mobile device management", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-1240", - "title": "Web application development", + "id": "control-0869", + "title": "Mobile device management", "parts": [ { - "id": "control-1240-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1241", - "title": "Web application development", + "id": "control-1085", + "title": "Mobile device management", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-1424", - "title": "Web application development", + "id": "control-1202", + "title": "Mobile device management", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0971", - "title": "Web application development", + "id": "control-0682", + "title": "Mobile device management", "parts": [ { - "id": "control-0971-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Application development", + "id": "control-1196", + "title": "Mobile device management", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Software development, testing and production environments are segregated." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1419", - "title": "Application development", + "id": "control-1200", + "title": "Mobile device management", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1420", - "title": "Application development", + "id": "control-1198", + "title": "Mobile device management", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1422", - "title": "Application development", + "id": "control-1199", + "title": "Mobile device management", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1238", - "title": "Application development", + "id": "control-0863", + "title": "Mobile device management", "parts": [ { - "id": "control-1238-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0401", - "title": "Application development", + "id": "control-0864", + "title": "Mobile device management", "parts": [ { - "id": "control-0401-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-0402", - "title": "Application development", + "id": "control-1365", + "title": "Mobile device management", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1366", + "title": "Mobile device management", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0546", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0874", + "title": "Mobile device management", "parts": [ { - "id": "control-0546-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-0547", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0705", + "title": "Mobile device management", "parts": [ { - "id": "control-0547-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-0548", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1082", + "title": "Mobile device usage", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1083", + "title": "Mobile device usage", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0553", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0240", + "title": "Mobile device usage", "parts": [ { - "id": "control-0553-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0555", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0866", + "title": "Mobile device usage", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-0551", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1145", + "title": "Mobile device usage", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n§ IP phones authenticate themselves to the call controller upon registration\n§ auto-registration is disabled and only authorised devices are allowed to access the network\n§ unauthorised devices are blocked by default\n§ all unused and prohibited functionality is disabled." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1014", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0871", + "title": "Mobile device usage", "parts": [ { - "id": "control-1014-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0549", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0870", + "title": "Mobile device usage", "parts": [ { - "id": "control-0549-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-0556", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1084", + "title": "Mobile device usage", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-1015", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0701", + "title": "Mobile device usage", "parts": [ { - "id": "control-1015-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0558", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-0702", + "title": "Mobile device usage", "parts": [ { - "id": "control-0558-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0559", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1298", + "title": "Mobile device usage", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1450", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1554", + "title": "Mobile device usage", "parts": [ { - "id": "control-1450-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n§ issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n§ advised on how to apply and inspect tamper seals to key areas of devices\n§ advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-1019", - "title": "Video conferencing and Internet Protocol telephony", + "id": "control-1555", + "title": "Mobile device usage", "parts": [ { - "id": "control-1019-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n§ how to identify signs of a denial of service\n§ how to identify the source of a denial of service\n§ how capabilities can be maintained during a denial of service\n§ what actions can be taken to clear a denial of service." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n§ record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n§ update all applications and operating systems\n§ remove all non-essential accounts, applications and data\n§ apply security configuration settings, such as lock screens\n§ configure remote locate and wipe functionality\n§ enable encryption, including for any media used\n§ backup all important data and configuration settings." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems", + "id": "control-1299", + "title": "Mobile device usage", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n§ never storing credentials with devices that they grant access to, such as in laptop bags\n§ never lending devices to untrusted people, even if briefly\n§ never allowing untrusted people to connect other devices or media to their devices, including for charging\n§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n§ avoiding connecting devices to open or untrusted Wi-Fi networks\n§ using an approved Virtual Private Network to encrypt all device communications\n§ using encrypted mobile applications for communications instead of using foreign telecommunication networks\n§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n§ avoiding reuse of media once used with other parties’ devices or systems\n§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n§ never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0229", - "title": "Telephone systems", + "id": "control-1088", + "title": "Mobile device usage", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n§ provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n§ have devices or media stolen that are later returned\n§ lose devices or media that are later found\n§ observe unusual behaviour of devices." } ] }, { - "id": "control-0230", - "title": "Telephone systems", + "id": "control-1300", + "title": "Mobile device usage", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n§ sanitise and reset devices, including all media used with them\n§ decommission any physical credentials that left their possession during their travel\n§ report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0231", - "title": "Telephone systems", + "id": "control-1556", + "title": "Mobile device usage", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n§ reset user credentials used with devices, including those used for remote access to their organisation’s systems\n§ monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0232", - "title": "Telephone systems", + "id": "control-0280", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-0233", - "title": "Telephone systems", + "id": "control-0285", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-0235", - "title": "Telephone systems", + "id": "control-0286", + "title": "Evaluated product acquisition", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] - }, + } + ] + }, + { + "id": "evaluated_product_usage", + "title": "Evaluated product usage", + "controls": [ { - "id": "control-0236", - "title": "Telephone systems", + "id": "control-0289", + "title": "Evaluated product usage", "parts": [ { - "id": "control-0236-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0931", - "title": "Telephone systems", + "id": "control-0290", + "title": "Evaluated product usage", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0237", - "title": "Telephone systems", + "id": "control-0292", + "title": "Evaluated product usage", "parts": [ { - "id": "control-0237-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_data_transfers_and_content_filtering", + "title": "Guidelines for Data Transfers and Content Filtering", + "groups": [ { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-0588", - "title": "Fax machines and multifunction devices", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-0588-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-1092", - "title": "Fax machines and multifunction devices", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0241", - "title": "Fax machines and multifunction devices", + "id": "control-0651", + "title": "Content filtering", "parts": [ { - "id": "control-0241-stmt", + "id": "control-0651-stmt", + "name": "statement", + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + } + ] + }, + { + "id": "control-0652", + "title": "Content filtering", + "parts": [ + { + "id": "control-0652-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-1075", - "title": "Fax machines and multifunction devices", + "id": "control-1389", + "title": "Content filtering", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0590", - "title": "Fax machines and multifunction devices", + "id": "control-1284", + "title": "Content filtering", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0245", - "title": "Fax machines and multifunction devices", + "id": "control-1286", + "title": "Content filtering", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0589", - "title": "Fax machines and multifunction devices", + "id": "control-1287", + "title": "Content filtering", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-1036", - "title": "Fax machines and multifunction devices", + "id": "control-1288", + "title": "Content filtering", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateway_management", - "title": "Guidelines for Gateway Management", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Firewalls", + "id": "control-1289", + "title": "Content filtering", "parts": [ { - "id": "control-1528-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0639", - "title": "Firewalls", + "id": "control-1290", + "title": "Content filtering", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1194", - "title": "Firewalls", + "id": "control-1291", + "title": "Content filtering", "parts": [ { - "id": "control-1194-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0641", - "title": "Firewalls", + "id": "control-0649", + "title": "Content filtering", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "A whitelist of allowed content types is implemented." } ] }, { - "id": "control-0642", - "title": "Firewalls", + "id": "control-1292", + "title": "Content filtering", "parts": [ { - "id": "control-0642-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ + }, { - "id": "control-0628", - "title": "Gateways", + "id": "control-0677", + "title": "Content filtering", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1192", - "title": "Gateways", + "id": "control-1293", + "title": "Content filtering", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] - }, + } + ] + }, + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-0631", - "title": "Gateways", + "id": "control-0663", + "title": "Data transfers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Gateways:\n§ are the only communications paths into and out of internal networks\n§ allow only explicitly authorised connections\n§ are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n§ are protected by authentication, logging and auditing of all physical and logical access to gateway components\n§ have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1427", - "title": "Gateways", + "id": "control-0661", + "title": "Data transfers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-0634", - "title": "Gateways", + "id": "control-0665", + "title": "Data transfers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n§ log network traffic permitted through the gateway\n§ log network traffic attempting to leave the gateway\n§ are configured to save event logs to a secure logging facility\n§ provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-0637", - "title": "Gateways", + "id": "control-0675", + "title": "Data transfers", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." } ] }, { - "id": "control-1037", - "title": "Gateways", + "id": "control-0664", + "title": "Data transfers", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-0611", - "title": "Gateways", + "id": "control-0657", + "title": "Data transfers", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-0612", - "title": "Gateways", + "id": "control-0658", + "title": "Data transfers", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1520", - "title": "Gateways", + "id": "control-1187", + "title": "Data transfers", "parts": [ { - "id": "control-1520-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-0613", - "title": "Gateways", + "id": "control-0669", + "title": "Data transfers", "parts": [ { - "id": "control-0613-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "When exporting data, the following activities are undertaken:\n§ protective marking checks\n§ data format checks and logging\n§ monitoring to detect overuse/unusual usage patterns\n§ limitations on data types and sizes\n§ keyword searches on all textual data." } ] }, { - "id": "control-0616", - "title": "Gateways", + "id": "control-1535", + "title": "Data transfers", "parts": [ { - "id": "control-0616-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-0629", - "title": "Gateways", + "id": "control-0678", + "title": "Data transfers", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-0607", - "title": "Gateways", + "id": "control-0667", + "title": "Data transfers", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0667-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." } ] }, { - "id": "control-0619", - "title": "Gateways", + "id": "control-0660", + "title": "Data transfers", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." } ] }, { - "id": "control-0620", - "title": "Gateways", + "id": "control-0673", + "title": "Data transfers", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0673-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." } ] }, { - "id": "control-1039", - "title": "Gateways", + "id": "control-1294", + "title": "Data transfers", "parts": [ { - "id": "control-1039-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." } ] }, { - "id": "control-0622", - "title": "Gateways", + "id": "control-1295", + "title": "Data transfers", "parts": [ { - "id": "control-0622-stmt", + "id": "control-1295-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0643", - "title": "Diodes", + "id": "control-0247", + "title": "Emanation security", "parts": [ { - "id": "control-0643-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0645", - "title": "Diodes", + "id": "control-0248", + "title": "Emanation security", "parts": [ { - "id": "control-0645-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1157", - "title": "Diodes", + "id": "control-1137", + "title": "Emanation security", "parts": [ { - "id": "control-1157-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1158", - "title": "Diodes", + "id": "control-0932", + "title": "Emanation security", "parts": [ { - "id": "control-1158-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0646", - "title": "Diodes", + "id": "control-0249", + "title": "Emanation security", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0647", - "title": "Diodes", + "id": "control-0246", + "title": "Emanation security", "parts": [ { - "id": "control-0647-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0648", - "title": "Diodes", + "id": "control-0250", + "title": "Emanation security", "parts": [ { - "id": "control-0648-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0626", - "title": "Cross Domain Solutions", - "parts": [ - { - "id": "control-0626-stmt", - "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." - } - ] - }, - { - "id": "control-0597", - "title": "Cross Domain Solutions", + "id": "control-0181", + "title": "Cable management", "parts": [ { - "id": "control-0597-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA)." } ] }, { - "id": "control-0627", - "title": "Cross Domain Solutions", + "id": "control-0926", + "title": "Cable management", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0635", - "title": "Cross Domain Solutions", + "id": "control-0825", + "title": "Cable management", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] }, { - "id": "control-1521", - "title": "Cross Domain Solutions", + "id": "control-0826", + "title": "Cable management", "parts": [ { - "id": "control-1521-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1522", - "title": "Cross Domain Solutions", + "id": "control-1215", + "title": "Cable management", "parts": [ { - "id": "control-1522-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-0670", - "title": "Cross Domain Solutions", + "id": "control-1216", + "title": "Cable management", "parts": [ { - "id": "control-0670-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1523", - "title": "Cross Domain Solutions", + "id": "control-1112", + "title": "Cable management", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0610", - "title": "Cross Domain Solutions", - "parts": [ - { - "id": "control-0610-stmt", - "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." - } - ] - } - ] - }, - { - "id": "web_content_and_connections", - "title": "Web content and connections", - "controls": [ - { - "id": "control-0258", - "title": "Web content and connections", + "id": "control-1118", + "title": "Cable management", "parts": [ { - "id": "control-0258-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0260", - "title": "Web content and connections", + "id": "control-1119", + "title": "Cable management", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0261", - "title": "Web content and connections", + "id": "control-1126", + "title": "Cable management", "parts": [ { - "id": "control-0261-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n§ address (uniform resource locator)\n§ time/date\n§ user\n§ amount of data uploaded and downloaded\n§ internal and external IP addresses." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0263", - "title": "Web content and connections", + "id": "control-0184", + "title": "Cable management", "parts": [ { - "id": "control-0263-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n§ a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n§ a whitelist of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0996", - "title": "Web content and connections", + "id": "control-0187", + "title": "Cable management", "parts": [ { - "id": "control-0996-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0958", - "title": "Web content and connections", + "id": "control-1111", + "title": "Cable management", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "A whitelist of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1170", - "title": "Web content and connections", + "id": "control-0189", + "title": "Cable management", "parts": [ { - "id": "control-1170-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "If a whitelist of allowed websites is not implemented, a whitelist of allowed website categories is implemented instead." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-0959", - "title": "Web content and connections", + "id": "control-0190", + "title": "Cable management", "parts": [ { - "id": "control-0959-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "If website whitelisting is not implemented, website blacklisting is implemented instead." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-0960", - "title": "Web content and connections", + "id": "control-1114", + "title": "Cable management", "parts": [ { - "id": "control-0960-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "If website blacklisting is implemented, the website blacklist is updated on a daily basis to ensure that it remains effective." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1171", - "title": "Web content and connections", + "id": "control-1130", + "title": "Cable management", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-1236", - "title": "Web content and connections", + "id": "control-1164", + "title": "Cable management", "parts": [ { - "id": "control-1236-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0963", - "title": "Web content and connections", + "id": "control-0195", + "title": "Cable management", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-0961", - "title": "Web content and connections", + "id": "control-0194", + "title": "Cable management", "parts": [ { - "id": "control-0961-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a whitelist of allowed websites." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1237", - "title": "Web content and connections", + "id": "control-1102", + "title": "Cable management", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Peripheral switches", + "id": "control-1101", + "title": "Cable management", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1480", - "title": "Peripheral switches", + "id": "control-1103", + "title": "Cable management", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1457", - "title": "Peripheral switches", + "id": "control-1098", + "title": "Cable management", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-0593", - "title": "Peripheral switches", + "id": "control-1100", + "title": "Cable management", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-0594", - "title": "Peripheral switches", + "id": "control-1116", + "title": "Cable management", "parts": [ { - "id": "control-0594-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_network_management", - "title": "Guidelines for Network Management", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1458", - "title": "Service continuity for online services", + "id": "control-1115", + "title": "Cable management", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1431", - "title": "Service continuity for online services", + "id": "control-1133", + "title": "Cable management", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n§ their capacity to withstand denial-of-service attacks\n§ any costs likely to be incurred by customers resulting from denial-of-service attacks\n§ thresholds for notifying customers or turning off their online services during denial-of-service attacks\n§ pre-approved actions that can be undertaken during denial-of-service attacks\n§ denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1432", - "title": "Service continuity for online services", + "id": "control-1122", + "title": "Cable management", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1433", - "title": "Service continuity for online services", + "id": "control-1134", + "title": "Cable management", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1434", - "title": "Service continuity for online services", + "id": "control-1104", + "title": "Cable management", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1435", - "title": "Service continuity for online services", + "id": "control-1105", + "title": "Cable management", "parts": [ { - "id": "control-1435-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1436", - "title": "Service continuity for online services", + "id": "control-1106", + "title": "Cable management", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1518", - "title": "Service continuity for online services", + "id": "control-1107", + "title": "Cable management", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1437", - "title": "Service continuity for online services", + "id": "control-1109", + "title": "Cable management", "parts": [ { - "id": "control-1437-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1438", - "title": "Service continuity for online services", + "id": "control-0198", + "title": "Cable management", "parts": [ { - "id": "control-1438-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1439", - "title": "Service continuity for online services", + "id": "control-1123", + "title": "Cable management", "parts": [ { - "id": "control-1439-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1441", - "title": "Service continuity for online services", + "id": "control-1135", + "title": "Cable management", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "wireless_networks", - "title": "Wireless networks", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-1314", - "title": "Wireless networks", + "id": "control-0201", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0536", - "title": "Wireless networks", + "id": "control-0202", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1315", - "title": "Wireless networks", + "id": "control-0203", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1316", - "title": "Wireless networks", + "id": "control-0204", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1316-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1317", - "title": "Wireless networks", + "id": "control-1095", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1318", - "title": "Wireless networks", + "id": "control-1096", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1319", - "title": "Wireless networks", + "id": "control-0206", + "title": "Cable labelling and registration", "parts": [ { - "id": "control-1319-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + } + ] + }, + { + "id": "control-0208", + "title": "Cable labelling and registration", + "parts": [ + { + "id": "control-0208-stmt", + "name": "statement", + "prose": "A cable register is maintained with the following information:\n§ cable identifier\n§ classification\n§ source\n§ destination\n§ site/floor plan diagram\n§ seal numbers (if applicable)." } ] }, { - "id": "control-1320", - "title": "Wireless networks", + "id": "control-0211", + "title": "Cable labelling and registration", + "parts": [ + { + "id": "control-0211-stmt", + "name": "statement", + "prose": "Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan." + } + ] + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ + { + "id": "control-0213", + "title": "Cable patching", "parts": [ { - "id": "control-1320-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-1321", - "title": "Wireless networks", + "id": "control-1093", + "title": "Cable patching", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1322", - "title": "Wireless networks", + "id": "control-0214", + "title": "Cable patching", "parts": [ { - "id": "control-1322-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1324", - "title": "Wireless networks", + "id": "control-1094", + "title": "Cable patching", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1323", - "title": "Wireless networks", + "id": "control-0216", + "title": "Cable patching", "parts": [ { - "id": "control-1323-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1325", - "title": "Wireless networks", + "id": "control-0217", + "title": "Cable patching", "parts": [ { - "id": "control-1325-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n§ a physical barrier in the cabinet is provided to separate patch panels\n§ only personnel holding a Positive Vetting security clearance have access to the cabinet\n§ approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-1326", - "title": "Wireless networks", + "id": "control-0218", + "title": "Cable patching", "parts": [ { - "id": "control-1326-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1327", - "title": "Wireless networks", + "id": "control-0100", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1327-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." } ] }, { - "id": "control-1330", - "title": "Wireless networks", + "id": "control-1395", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1454", - "title": "Wireless networks", + "id": "control-1529", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." } ] }, { - "id": "control-1332", - "title": "Wireless networks", + "id": "control-0873", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1332-stmt", + "id": "control-0873-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." } ] }, { - "id": "control-1334", - "title": "Wireless networks", + "id": "control-0072", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1334-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." } ] }, { - "id": "control-1335", - "title": "Wireless networks", + "id": "control-1073", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1335-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1338", - "title": "Wireless networks", + "id": "control-1451", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." } ] }, { - "id": "control-1013", - "title": "Wireless networks", + "id": "control-1452", + "title": "Information technology and cloud services", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0516", - "title": "Network design and configuration", + "id": "control-0938", + "title": "Application hardening", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-0518", - "title": "Network design and configuration", + "id": "control-1467", + "title": "Application hardening", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1178", - "title": "Network design and configuration", + "id": "control-1483", + "title": "Application hardening", "parts": [ { - "id": "control-1178-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1181", - "title": "Network design and configuration", + "id": "control-1412", + "title": "Application hardening", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1532", - "title": "Network design and configuration", + "id": "control-1484", + "title": "Application hardening", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0529", - "title": "Network design and configuration", + "id": "control-1485", + "title": "Application hardening", "parts": [ { - "id": "control-0529-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-1364", - "title": "Network design and configuration", + "id": "control-1486", + "title": "Application hardening", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-0535", - "title": "Network design and configuration", + "id": "control-1541", + "title": "Application hardening", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-0530", - "title": "Network design and configuration", + "id": "control-1542", + "title": "Application hardening", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0521", - "title": "Network design and configuration", + "id": "control-1470", + "title": "Application hardening", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1186", - "title": "Network design and configuration", + "id": "control-1235", + "title": "Application hardening", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-1428", - "title": "Network design and configuration", + "id": "control-1487", + "title": "Application hardening", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-1429", - "title": "Network design and configuration", + "id": "control-1488", + "title": "Application hardening", + "parts": [ + { + "id": "control-1488-stmt", + "name": "statement", + "prose": "Microsoft Office macros in documents originating from the internet are blocked." + } + ] + }, + { + "id": "control-1489", + "title": "Application hardening", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1430", - "title": "Network design and configuration", + "id": "control-1407", + "title": "Operating system hardening", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." } ] }, { - "id": "control-0520", - "title": "Network design and configuration", + "id": "control-1408", + "title": "Operating system hardening", "parts": [ { - "id": "control-0520-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-1182", - "title": "Network design and configuration", + "id": "control-1409", + "title": "Operating system hardening", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1301", - "title": "Network design and configuration", + "id": "control-0383", + "title": "Operating system hardening", "parts": [ { - "id": "control-1301-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1304", - "title": "Network design and configuration", + "id": "control-0380", + "title": "Operating system hardening", "parts": [ { - "id": "control-1304-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-0534", - "title": "Network design and configuration", + "id": "control-1491", + "title": "Operating system hardening", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0385", - "title": "Network design and configuration", + "id": "control-1410", + "title": "Operating system hardening", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-1479", - "title": "Network design and configuration", + "id": "control-1469", + "title": "Operating system hardening", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1460", - "title": "Network design and configuration", + "id": "control-0382", + "title": "Operating system hardening", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n§ the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n§ the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n§ the underlying operating system running on the server is hardened\n§ patches are applied to the isolation mechanism and underlying operating system in a timely manner\n§ integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Users do not have the ability to install, uninstall or disable software." } ] }, { - "id": "control-1462", - "title": "Network design and configuration", + "id": "control-0843", + "title": "Operating system hardening", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1461", - "title": "Network design and configuration", + "id": "control-1490", + "title": "Operating system hardening", "parts": [ { - "id": "control-1461-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1006", - "title": "Network design and configuration", + "id": "control-0955", + "title": "Operating system hardening", "parts": [ { - "id": "control-1006-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Application whitelisting is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-1311", - "title": "Network design and configuration", + "id": "control-1471", + "title": "Operating system hardening", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "When implementing application whitelisting using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1312", - "title": "Network design and configuration", + "id": "control-1392", + "title": "Operating system hardening", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "When implementing application whitelisting using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1028", - "title": "Network design and configuration", + "id": "control-1544", + "title": "Operating system hardening", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses." } ] }, { - "id": "control-1030", - "title": "Network design and configuration", + "id": "control-0846", + "title": "Operating system hardening", "parts": [ { - "id": "control-1030-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application whitelisting mechanisms." } ] }, { - "id": "control-1185", - "title": "Network design and configuration", + "id": "control-0957", + "title": "Operating system hardening", "parts": [ { - "id": "control-1185-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Application whitelisting solutions are configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System-specific security documentation", + "id": "control-1414", + "title": "Operating system hardening", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0043", - "title": "System-specific security documentation", + "id": "control-1492", + "title": "Operating system hardening", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "Systems have an IRP that covers the following:\n§ guidelines on what constitutes a cyber security incident\n§ the types of incidents likely to be encountered and the expected response to each type\n§ how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n§ other parties which need to be informed in the event of a cyber security incident\n§ the authority, or authorities, responsible for investigating and responding to cyber security incidents\n§ the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n§ the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n§ system contingency measures or a reference to such details if they are located in a separate document." + "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Development and maintenance of security documentation", + "id": "control-1341", + "title": "Operating system hardening", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-0047", - "title": "Development and maintenance of security documentation", + "id": "control-1034", + "title": "Operating system hardening", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-0888", - "title": "Development and maintenance of security documentation", + "id": "control-1416", + "title": "Operating system hardening", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Cyber security awareness training", + "id": "control-1417", + "title": "Operating system hardening", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Ongoing cyber security awareness training is provided to personnel and includes:\n§ the purpose of the cyber security awareness training\n§ security appointments and contacts within the organisation\n§ the authorised use of systems and their resources\n§ the protection of systems and their resources\n§ reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n§ signature-based detection enabled and set to a high level\n§ heuristic-based detection enabled and set to a high level\n§ detection signatures checked for currency and updated on at least a daily basis\n§ automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-0817", - "title": "Cyber security awareness training", + "id": "control-1390", + "title": "Operating system hardening", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-0820", - "title": "Cyber security awareness training", + "id": "control-1418", + "title": "Operating system hardening", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1146", - "title": "Cyber security awareness training", + "id": "control-1546", + "title": "Authentication hardening", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-0821", - "title": "Cyber security awareness training", + "id": "control-0974", + "title": "Authentication hardening", "parts": [ { - "id": "control-0821-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-0824", - "title": "Cyber security awareness training", + "id": "control-1173", + "title": "Authentication hardening", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "Access to systems and their resources", + "id": "control-1504", + "title": "Authentication hardening", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-0434", - "title": "Access to systems and their resources", + "id": "control-1505", + "title": "Authentication hardening", "parts": [ { - "id": "control-0434-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-0435", - "title": "Access to systems and their resources", + "id": "control-1401", + "title": "Authentication hardening", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-0414", - "title": "Access to systems and their resources", + "id": "control-1559", + "title": "Authentication hardening", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-0415", - "title": "Access to systems and their resources", + "id": "control-1560", + "title": "Authentication hardening", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-0975", - "title": "Access to systems and their resources", + "id": "control-1561", + "title": "Authentication hardening", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-0420", - "title": "Access to systems and their resources", + "id": "control-1357", + "title": "Authentication hardening", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1538", - "title": "Access to systems and their resources", + "id": "control-0417", + "title": "Authentication hardening", "parts": [ { - "id": "control-1538-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-0405", - "title": "Access to systems and their resources", + "id": "control-0421", + "title": "Authentication hardening", "parts": [ { - "id": "control-0405-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1503", - "title": "Access to systems and their resources", + "id": "control-1557", + "title": "Authentication hardening", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0409", - "title": "Access to systems and their resources", + "id": "control-0422", + "title": "Authentication hardening", "parts": [ { - "id": "control-0409-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-0411", - "title": "Access to systems and their resources", + "id": "control-1558", + "title": "Authentication hardening", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Passphrases used for single-factor authentication:\n§ are not constructed from song lyrics, movies, literature or any other publically available material\n§ do not form a real sentence in a natural language\n§ are not a list of categorised words." } ] }, { - "id": "control-0816", - "title": "Access to systems and their resources", + "id": "control-1403", + "title": "Authentication hardening", "parts": [ { - "id": "control-0816-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1507", - "title": "Access to systems and their resources", + "id": "control-0431", + "title": "Authentication hardening", "parts": [ { - "id": "control-1507-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1508", - "title": "Access to systems and their resources", + "id": "control-0976", + "title": "Authentication hardening", "parts": [ { - "id": "control-1508-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." } ] }, { - "id": "control-0445", - "title": "Access to systems and their resources", + "id": "control-1227", + "title": "Authentication hardening", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." } ] }, { - "id": "control-1509", - "title": "Access to systems and their resources", + "id": "control-1055", + "title": "Authentication hardening", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-1175", - "title": "Access to systems and their resources", + "id": "control-0418", + "title": "Authentication hardening", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0448", - "title": "Access to systems and their resources", + "id": "control-1402", + "title": "Authentication hardening", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "Credentials are protected by ensuring:\n§ passwords/passphrases expire every 12 months\n§ passwords/passphrases are stored as salted hashes\n§ password/passphrase stretching is implemented\n§ passwords/passphrases that are compromised are revoked\n§ passwords/passphrases are never sent in the clear across networks." } ] }, { - "id": "control-0446", - "title": "Access to systems and their resources", + "id": "control-0428", + "title": "Authentication hardening", "parts": [ { - "id": "control-0446-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "Systems are configured with a session or screen lock that:\n§ activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n§ completely conceals all information on the screen\n§ ensures that the screen does not enter a power saving state before the screen or session lock is activated\n§ requires the user to reauthenticate to unlock the system\n§ denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-0447", - "title": "Access to systems and their resources", + "id": "control-0408", + "title": "Authentication hardening", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-1545", - "title": "Access to systems and their resources", + "id": "control-0979", + "title": "Authentication hardening", "parts": [ { - "id": "control-1545-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-0430", - "title": "Access to systems and their resources", + "id": "control-0400", + "title": "Application development", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "Software development, testing and production environments are segregated." } ] }, { - "id": "control-1404", - "title": "Access to systems and their resources", + "id": "control-1419", + "title": "Application development", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-0407", - "title": "Access to systems and their resources", + "id": "control-1420", + "title": "Application development", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n§ all personnel authorised to access the system, and their user identification\n§ who provided authorisation for access\n§ when access was granted\n§ the level of access that was granted\n§ when access, and the level of access, was last reviewed\n§ when the level of access was changed, and to what extent (if applicable)\n§ when access was withdrawn (if applicable)." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-0441", - "title": "Access to systems and their resources", + "id": "control-1422", + "title": "Application development", "parts": [ { - "id": "control-0441-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-0443", - "title": "Access to systems and their resources", + "id": "control-1238", + "title": "Application development", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-0078", - "title": "Access to systems and their resources", + "id": "control-0401", + "title": "Application development", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-0854", - "title": "Access to systems and their resources", + "id": "control-0402", + "title": "Application development", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] } ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ + }, { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-1546", - "title": "Authentication hardening", + "id": "control-1239", + "title": "Web application development", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0974", - "title": "Authentication hardening", + "id": "control-1552", + "title": "Web application development", "parts": [ { - "id": "control-0974-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1173", - "title": "Authentication hardening", + "id": "control-1240", + "title": "Web application development", "parts": [ { - "id": "control-1173-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1504", - "title": "Authentication hardening", + "id": "control-1241", + "title": "Web application development", "parts": [ { - "id": "control-1504-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1505", - "title": "Authentication hardening", + "id": "control-1424", + "title": "Web application development", "parts": [ { - "id": "control-1505-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1401", - "title": "Authentication hardening", + "id": "control-0971", + "title": "Web application development", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_using_cryptography", + "title": "Guidelines for Using Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ + { + "id": "control-1506", + "title": "Secure Shell", + "parts": [ + { + "id": "control-1506-stmt", + "name": "statement", + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1559", - "title": "Authentication hardening", + "id": "control-0484", + "title": "Secure Shell", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1560", - "title": "Authentication hardening", + "id": "control-0485", + "title": "Secure Shell", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1561", - "title": "Authentication hardening", + "id": "control-1449", + "title": "Secure Shell", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1357", - "title": "Authentication hardening", + "id": "control-0487", + "title": "Secure Shell", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n§ access from IP addresses that do not require access\n§ port forwarding\n§ agent credential forwarding\n§ X11 display remoting\n§ console access." } ] }, { - "id": "control-0417", - "title": "Authentication hardening", + "id": "control-0488", + "title": "Secure Shell", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-0421", - "title": "Authentication hardening", + "id": "control-0489", + "title": "Secure Shell", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + } + ] + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ + { + "id": "control-0471", + "title": "ASD Approved Cryptographic Algorithms", + "parts": [ + { + "id": "control-0471-stmt", + "name": "statement", + "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." } ] }, { - "id": "control-1557", - "title": "Authentication hardening", + "id": "control-0994", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-0422", - "title": "Authentication hardening", + "id": "control-0472", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1558", - "title": "Authentication hardening", + "id": "control-0473", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n§ are not constructed from song lyrics, movies, literature or any other publically available material\n§ do not form a real sentence in a natural language\n§ are not a list of categorised words." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1403", - "title": "Authentication hardening", + "id": "control-1446", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-0431", - "title": "Authentication hardening", + "id": "control-0474", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0431-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0976", - "title": "Authentication hardening", + "id": "control-0475", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-1227", - "title": "Authentication hardening", + "id": "control-0476", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1055", - "title": "Authentication hardening", + "id": "control-0477", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1055-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0418", - "title": "Authentication hardening", + "id": "control-1054", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-1402", - "title": "Authentication hardening", + "id": "control-0479", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1402-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Credentials are protected by ensuring:\n§ passwords/passphrases expire every 12 months\n§ passwords/passphrases are stored as salted hashes\n§ password/passphrase stretching is implemented\n§ passwords/passphrases that are compromised are revoked\n§ passwords/passphrases are never sent in the clear across networks." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-0428", - "title": "Authentication hardening", + "id": "control-0480", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n§ activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n§ completely conceals all information on the screen\n§ ensures that the screen does not enter a power saving state before the screen or session lock is activated\n§ requires the user to reauthenticate to unlock the system\n§ denies users the ability to disable the session or screen locking mechanism." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-0408", - "title": "Authentication hardening", + "id": "control-1232", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0408-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0979", - "title": "Authentication hardening", + "id": "control-1468", + "title": "ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] }, { - "id": "operating_system_hardening", - "title": "Operating system hardening", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-1407", - "title": "Operating system hardening", + "id": "control-0490", + "title": "Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-1408", - "title": "Operating system hardening", + "id": "control-1139", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1408-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-1409", - "title": "Operating system hardening", + "id": "control-1369", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1409-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0383", - "title": "Operating system hardening", + "id": "control-1370", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-0380", - "title": "Operating system hardening", + "id": "control-1372", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0380-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-1491", - "title": "Operating system hardening", + "id": "control-1448", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1491-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1410", - "title": "Operating system hardening", + "id": "control-1373", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1469", - "title": "Operating system hardening", + "id": "control-1374", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0382", - "title": "Operating system hardening", + "id": "control-1375", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Users do not have the ability to install, uninstall or disable software." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0843", - "title": "Operating system hardening", + "id": "control-1553", + "title": "Transport Layer Security", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1490", - "title": "Operating system hardening", + "id": "control-1453", + "title": "Transport Layer Security", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-0955", - "title": "Operating system hardening", + "id": "control-0501", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Application whitelisting is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1471", - "title": "Operating system hardening", + "id": "control-0142", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "When implementing application whitelisting using publisher certificate rules, both publisher names and product names are used." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1392", - "title": "Operating system hardening", + "id": "control-1091", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "When implementing application whitelisting using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1544", - "title": "Operating system hardening", + "id": "control-0499", + "title": "Cryptographic system management", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0846", - "title": "Operating system hardening", + "id": "control-0505", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application whitelisting mechanisms." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-0957", - "title": "Operating system hardening", + "id": "control-0506", + "title": "Cryptographic system management", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Application whitelisting solutions are configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-1414", - "title": "Operating system hardening", + "id": "control-1161", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1414-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1492", - "title": "Operating system hardening", + "id": "control-0457", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-1341", - "title": "Operating system hardening", + "id": "control-0460", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-1034", - "title": "Operating system hardening", + "id": "control-0459", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1416", - "title": "Operating system hardening", + "id": "control-0461", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1417", - "title": "Operating system hardening", + "id": "control-1080", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1417-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n§ signature-based detection enabled and set to a high level\n§ heuristic-based detection enabled and set to a high level\n§ detection signatures checked for currency and updated on at least a daily basis\n§ automatic and regular scanning configured for all fixed disks and removable media." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1390", - "title": "Operating system hardening", + "id": "control-0455", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1418", - "title": "Operating system hardening", + "id": "control-0462", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application hardening", + "id": "control-1162", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-0938-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1467", - "title": "Application hardening", + "id": "control-0465", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1483", - "title": "Application hardening", + "id": "control-0467", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1412", - "title": "Application hardening", + "id": "control-0469", + "title": "Cryptographic fundamentals", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1484", - "title": "Application hardening", + "id": "control-0481", + "title": "ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1485", - "title": "Application hardening", + "id": "control-0494", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1486", - "title": "Application hardening", + "id": "control-0496", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1541", - "title": "Application hardening", + "id": "control-1233", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1542", - "title": "Application hardening", + "id": "control-0497", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1470", - "title": "Application hardening", + "id": "control-0498", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1235", - "title": "Application hardening", + "id": "control-0998", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1487", - "title": "Application hardening", + "id": "control-0999", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1488", - "title": "Application hardening", + "id": "control-1000", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1489", - "title": "Application hardening", + "id": "control-1001", + "title": "Internet Protocol Security", "parts": [ { - "id": "control-1489-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } @@ -5289,2039 +5312,2078 @@ ] }, { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", + "id": "guidelines_for_network_management", + "title": "Guidelines for Network Management", "groups": [ { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", "controls": [ { - "id": "control-0580", - "title": "Event logging and auditing", + "id": "control-1458", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-1405", - "title": "Event logging and auditing", + "id": "control-1431", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1405-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n§ their capacity to withstand denial-of-service attacks\n§ any costs likely to be incurred by customers resulting from denial-of-service attacks\n§ thresholds for notifying customers or turning off their online services during denial-of-service attacks\n§ pre-approved actions that can be undertaken during denial-of-service attacks\n§ denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-0988", - "title": "Event logging and auditing", + "id": "control-1432", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0988-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0584", - "title": "Event logging and auditing", + "id": "control-1433", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0584-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." } ] }, { - "id": "control-0582", - "title": "Event logging and auditing", + "id": "control-1434", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n§ access to important data and processes\n§ application crashes and any error messages\n§ attempts to use special privileges\n§ changes to accounts\n§ changes to security policy\n§ changes to system configurations\n§ Domain Name System (DNS) and Hypertext Transfer Protocol requests\n§ failed attempts to access data and system resources\n§ service failures and restarts\n§ system startup and shutdown\n§ transfer of data to external media\n§ user or group management\n§ use of special privileges." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1536", - "title": "Event logging and auditing", + "id": "control-1435", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n§ attempted access that is denied\n§ crashes and any error messages\n§ search queries initiated by users." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-1537", - "title": "Event logging and auditing", + "id": "control-1436", + "title": "Service continuity for online services", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n§ access to particularly important information\n§ addition of new users, especially privileged users\n§ any query containing comments\n§ any query containing multiple embedded queries\n§ any query or database alerts or failures\n§ attempts to elevate privileges\n§ attempted access that is successful or unsuccessful\n§ changes to the database structure\n§ changes to user roles or database permissions\n§ database administrator actions\n§ database logons and logoffs\n§ modifications to data\n§ use of executable commands." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0585", - "title": "Event logging and auditing", + "id": "control-1518", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] }, { - "id": "control-0586", - "title": "Event logging and auditing", + "id": "control-1437", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0586-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." } ] }, { - "id": "control-0859", - "title": "Event logging and auditing", + "id": "control-1438", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0991", - "title": "Event logging and auditing", + "id": "control-1439", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0109", - "title": "Event logging and auditing", + "id": "control-1441", + "title": "Service continuity for online services", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + } + ] + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ + { + "id": "control-1314", + "title": "Wireless networks", + "parts": [ + { + "id": "control-1314-stmt", + "name": "statement", + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-1228", - "title": "Event logging and auditing", + "id": "control-0536", + "title": "Wireless networks", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] - } - ] - }, - { - "id": "vulnerability_management", - "title": "Vulnerability management", - "controls": [ + }, { - "id": "control-1163", - "title": "Vulnerability management", + "id": "control-1315", + "title": "Wireless networks", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "A vulnerability management policy is developed and implemented that includes:\n§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities\n§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n§ using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0911", - "title": "Vulnerability management", + "id": "control-1316", + "title": "Wireless networks", "parts": [ { - "id": "control-0911-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Vulnerability assessments and penetration tests are conducted by suitably skilled personnel before a system is deployed, after a significant change to a system, and at least annually or as specified by the system owner." + "prose": "The default SSID of wireless access points is changed." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1317", + "title": "Wireless networks", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1318", + "title": "Wireless networks", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents", + "id": "control-1319", + "title": "Wireless networks", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Managing cyber security incidents", + "id": "control-1320", + "title": "Wireless networks", "parts": [ { - "id": "control-0125-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n§ the date the cyber security incident occurred\n§ the date the cyber security incident was discovered\n§ a description of the cyber security incident\n§ any actions taken in response to the cyber security incident\n§ to whom the cyber security incident was reported." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0133", - "title": "Managing cyber security incidents", + "id": "control-1321", + "title": "Wireless networks", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0917", - "title": "Managing cyber security incidents", + "id": "control-1322", + "title": "Wireless networks", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n§ the infected systems are isolated\n§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n§ antivirus software is used to remove the infection from infected systems and media\n§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0137", - "title": "Managing cyber security incidents", + "id": "control-1324", + "title": "Wireless networks", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-1213", - "title": "Managing cyber security incidents", + "id": "control-1323", + "title": "Wireless networks", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0138", - "title": "Managing cyber security incidents", + "id": "control-1325", + "title": "Wireless networks", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Detecting cyber security incidents", + "id": "control-1326", + "title": "Wireless networks", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0120", - "title": "Detecting cyber security incidents", + "id": "control-1327", + "title": "Wireless networks", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems_management", - "title": "Guidelines for Database Systems Management", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Database servers", + "id": "control-1330", + "title": "Wireless networks", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-1269", - "title": "Database servers", + "id": "control-1454", + "title": "Wireless networks", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-1277", - "title": "Database servers", + "id": "control-1332", + "title": "Wireless networks", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1270", - "title": "Database servers", + "id": "control-1334", + "title": "Wireless networks", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1271", - "title": "Database servers", + "id": "control-1335", + "title": "Wireless networks", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1272", - "title": "Database servers", + "id": "control-1338", + "title": "Wireless networks", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1273", - "title": "Database servers", + "id": "control-1013", + "title": "Wireless networks", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] } ] }, { - "id": "database_management_system_software", - "title": "Database management system software", + "id": "network_design_and_configuration", + "title": "Network design and configuration", "controls": [ { - "id": "control-1245", - "title": "Database management system software", + "id": "control-0516", + "title": "Network design and configuration", "parts": [ { - "id": "control-1245-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1246", - "title": "Database management system software", + "id": "control-0518", + "title": "Network design and configuration", "parts": [ { - "id": "control-1246-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1247", - "title": "Database management system software", + "id": "control-1178", + "title": "Network design and configuration", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1249", - "title": "Database management system software", + "id": "control-1181", + "title": "Network design and configuration", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1250", - "title": "Database management system software", + "id": "control-1532", + "title": "Network design and configuration", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1251", - "title": "Database management system software", + "id": "control-0529", + "title": "Network design and configuration", "parts": [ { - "id": "control-1251-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1260", - "title": "Database management system software", + "id": "control-1364", + "title": "Network design and configuration", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1262", - "title": "Database management system software", + "id": "control-0535", + "title": "Network design and configuration", "parts": [ { - "id": "control-1262-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-1261", - "title": "Database management system software", + "id": "control-0530", + "title": "Network design and configuration", "parts": [ { - "id": "control-1261-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-1263", - "title": "Database management system software", + "id": "control-0521", + "title": "Network design and configuration", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1264", - "title": "Database management system software", + "id": "control-1186", + "title": "Network design and configuration", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Databases", + "id": "control-1428", + "title": "Network design and configuration", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1256", - "title": "Databases", + "id": "control-1429", + "title": "Network design and configuration", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1252", - "title": "Databases", + "id": "control-1430", + "title": "Network design and configuration", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0393", - "title": "Databases", + "id": "control-0520", + "title": "Network design and configuration", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-1255", - "title": "Databases", + "id": "control-1182", + "title": "Network design and configuration", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-1268", - "title": "Databases", + "id": "control-1301", + "title": "Network design and configuration", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-1258", - "title": "Databases", + "id": "control-1304", + "title": "Network design and configuration", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1274", - "title": "Databases", + "id": "control-0534", + "title": "Network design and configuration", "parts": [ { - "id": "control-1274-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-1275", - "title": "Databases", + "id": "control-0385", + "title": "Network design and configuration", "parts": [ { - "id": "control-1275-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1276", - "title": "Databases", + "id": "control-1479", + "title": "Network design and configuration", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1278", - "title": "Databases", + "id": "control-1460", + "title": "Network design and configuration", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n§ the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n§ the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n§ the underlying operating system running on the server is hardened\n§ patches are applied to the isolation mechanism and underlying operating system in a timely manner\n§ integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage", + "id": "control-1462", + "title": "Network design and configuration", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1083", - "title": "Mobile device usage", + "id": "control-1461", + "title": "Network design and configuration", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] }, { - "id": "control-0240", - "title": "Mobile device usage", + "id": "control-1006", + "title": "Network design and configuration", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0866", - "title": "Mobile device usage", + "id": "control-1311", + "title": "Network design and configuration", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1145", - "title": "Mobile device usage", + "id": "control-1312", + "title": "Network design and configuration", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0871", - "title": "Mobile device usage", + "id": "control-1028", + "title": "Network design and configuration", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." } ] }, { - "id": "control-0870", - "title": "Mobile device usage", + "id": "control-1030", + "title": "Network design and configuration", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1084", - "title": "Mobile device usage", + "id": "control-1185", + "title": "Network design and configuration", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-0701", - "title": "Mobile device usage", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0702", - "title": "Mobile device usage", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0702-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1298", - "title": "Mobile device usage", + "id": "control-0140", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1298-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Cyber security incidents are reported to the ACSC." } ] - }, + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ { - "id": "control-1554", - "title": "Mobile device usage", + "id": "control-0125", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n§ issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n§ advised on how to apply and inspect tamper seals to key areas of devices\n§ advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "A cyber security incident register is maintained with the following information:\n§ the date the cyber security incident occurred\n§ the date the cyber security incident was discovered\n§ a description of the cyber security incident\n§ any actions taken in response to the cyber security incident\n§ to whom the cyber security incident was reported." } ] }, { - "id": "control-1555", - "title": "Mobile device usage", + "id": "control-0133", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n§ record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n§ update all applications and operating systems\n§ remove all non-essential accounts, applications and data\n§ apply security configuration settings, such as lock screens\n§ configure remote locate and wipe functionality\n§ enable encryption, including for any media used\n§ backup all important data and configuration settings." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-1299", - "title": "Mobile device usage", + "id": "control-0917", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n§ never storing credentials with devices that they grant access to, such as in laptop bags\n§ never lending devices to untrusted people, even if briefly\n§ never allowing untrusted people to connect other devices or media to their devices, including for charging\n§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n§ avoiding connecting devices to open or untrusted Wi-Fi networks\n§ using an approved Virtual Private Network to encrypt all device communications\n§ using encrypted mobile applications for communications instead of using foreign telecommunication networks\n§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n§ avoiding reuse of media once used with other parties’ devices or systems\n§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n§ never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n§ the infected systems are isolated\n§ all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n§ antivirus software is used to remove the infection from infected systems and media\n§ if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1088", - "title": "Mobile device usage", + "id": "control-0137", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n§ provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n§ have devices or media stolen that are later returned\n§ lose devices or media that are later found\n§ observe unusual behaviour of devices." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1300", - "title": "Mobile device usage", + "id": "control-1213", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n§ sanitise and reset devices, including all media used with them\n§ decommission any physical credentials that left their possession during their travel\n§ report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1556", - "title": "Mobile device usage", + "id": "control-0138", + "title": "Managing cyber security incidents", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n§ reset user credentials used with devices, including those used for remote access to their organisation’s systems\n§ monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", "controls": [ { - "id": "control-1533", - "title": "Mobile device management", + "id": "control-0576", + "title": "Detecting cyber security incidents", "parts": [ { - "id": "control-1533-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-1195", - "title": "Mobile device management", + "id": "control-0120", + "title": "Detecting cyber security incidents", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems_management", + "title": "Guidelines for Database Systems Management", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-0687", - "title": "Mobile device management", + "id": "control-1425", + "title": "Database servers", "parts": [ { - "id": "control-0687-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1400", - "title": "Mobile device management", + "id": "control-1269", + "title": "Database servers", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0694", - "title": "Mobile device management", + "id": "control-1277", + "title": "Database servers", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1297", - "title": "Mobile device management", + "id": "control-1270", + "title": "Database servers", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1482", - "title": "Mobile device management", + "id": "control-1271", + "title": "Database servers", "parts": [ { - "id": "control-1482-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-0869", - "title": "Mobile device management", + "id": "control-1272", + "title": "Database servers", "parts": [ { - "id": "control-0869-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1085", - "title": "Mobile device management", + "id": "control-1273", + "title": "Database servers", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1202", - "title": "Mobile device management", + "id": "control-1243", + "title": "Databases", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-0682", - "title": "Mobile device management", + "id": "control-1256", + "title": "Databases", "parts": [ { - "id": "control-0682-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1196", - "title": "Mobile device management", + "id": "control-1252", + "title": "Databases", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1200", - "title": "Mobile device management", + "id": "control-0393", + "title": "Databases", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-1198", - "title": "Mobile device management", + "id": "control-1255", + "title": "Databases", "parts": [ { - "id": "control-1198-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1199", - "title": "Mobile device management", + "id": "control-1268", + "title": "Databases", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0863", - "title": "Mobile device management", + "id": "control-1258", + "title": "Databases", "parts": [ { - "id": "control-0863-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-0864", - "title": "Mobile device management", + "id": "control-1274", + "title": "Databases", "parts": [ { - "id": "control-0864-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1365", - "title": "Mobile device management", + "id": "control-1275", + "title": "Databases", "parts": [ { - "id": "control-1365-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1366", - "title": "Mobile device management", + "id": "control-1276", + "title": "Databases", "parts": [ { - "id": "control-1366-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-0874", - "title": "Mobile device management", + "id": "control-1278", + "title": "Databases", + "parts": [ + { + "id": "control-1278-stmt", + "name": "statement", + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + } + ] + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ + { + "id": "control-1245", + "title": "Database management system software", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0705", - "title": "Mobile device management", + "id": "control-1246", + "title": "Database management system software", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "DBMS software is configured according to vendor guidance." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Cable labelling and registration", + "id": "control-1247", + "title": "Database management system software", "parts": [ { - "id": "control-0201-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-0202", - "title": "Cable labelling and registration", + "id": "control-1249", + "title": "Database management system software", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0203", - "title": "Cable labelling and registration", + "id": "control-1250", + "title": "Database management system software", "parts": [ { - "id": "control-0203-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0204", - "title": "Cable labelling and registration", + "id": "control-1251", + "title": "Database management system software", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1095", - "title": "Cable labelling and registration", + "id": "control-1260", + "title": "Database management system software", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1096", - "title": "Cable labelling and registration", + "id": "control-1262", + "title": "Database management system software", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0206", - "title": "Cable labelling and registration", + "id": "control-1261", + "title": "Database management system software", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0208", - "title": "Cable labelling and registration", + "id": "control-1263", + "title": "Database management system software", "parts": [ { - "id": "control-0208-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n§ cable identifier\n§ classification\n§ source\n§ destination\n§ site/floor plan diagram\n§ seal numbers (if applicable)." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-0211", - "title": "Cable labelling and registration", + "id": "control-1264", + "title": "Database management system software", "parts": [ { - "id": "control-0211-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register in accordance with the frequency defined in a system’s System Security Plan." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ { - "id": "cable_patching", - "title": "Cable patching", + "id": "system_owners", + "title": "System owners", "controls": [ { - "id": "control-0213", - "title": "Cable patching", + "id": "control-1071", + "title": "System owners", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1093", - "title": "Cable patching", + "id": "control-1525", + "title": "System owners", "parts": [ { - "id": "control-1093-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-0214", - "title": "Cable patching", + "id": "control-0027", + "title": "System owners", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-1094", - "title": "Cable patching", + "id": "control-1526", + "title": "System owners", "parts": [ { - "id": "control-1094-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0216", - "title": "Cable patching", + "id": "control-0714", + "title": "Chief Information Security Officer", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-0217", - "title": "Cable patching", + "id": "control-1478", + "title": "Chief Information Security Officer", "parts": [ { - "id": "control-0217-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n§ a physical barrier in the cabinet is provided to separate patch panels\n§ only personnel holding a Positive Vetting security clearance have access to the cabinet\n§ approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_email_management", + "title": "Guidelines for Email Management", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ + { + "id": "control-0569", + "title": "Email gateways and servers", + "parts": [ + { + "id": "control-0569-stmt", + "name": "statement", + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-0218", - "title": "Cable patching", + "id": "control-0571", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security", + "id": "control-0570", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-0248", - "title": "Emanation security", + "id": "control-0567", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0248-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1137", - "title": "Emanation security", + "id": "control-0572", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0932", - "title": "Emanation security", + "id": "control-0574", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0932-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0249", - "title": "Emanation security", + "id": "control-1183", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-0246", - "title": "Emanation security", + "id": "control-1151", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-0250", - "title": "Emanation security", + "id": "control-1152", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable management", + "id": "control-0861", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority (ACMA)." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-0926", - "title": "Cable management", + "id": "control-1026", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0825", - "title": "Cable management", + "id": "control-1027", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-0826", - "title": "Cable management", + "id": "control-1540", + "title": "Email gateways and servers", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-1215", - "title": "Cable management", + "id": "control-1234", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1216", - "title": "Cable management", + "id": "control-1502", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1112", - "title": "Cable management", + "id": "control-1024", + "title": "Email gateways and servers", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1118", - "title": "Cable management", + "id": "control-0264", + "title": "Email usage", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1119", - "title": "Cable management", + "id": "control-0267", + "title": "Email usage", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1126", - "title": "Cable management", + "id": "control-0270", + "title": "Email usage", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-0184", - "title": "Cable management", + "id": "control-0271", + "title": "Email usage", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-0187", - "title": "Cable management", + "id": "control-0272", + "title": "Email usage", "parts": [ { - "id": "control-0187-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1111", - "title": "Cable management", + "id": "control-1089", + "title": "Email usage", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-0189", - "title": "Cable management", + "id": "control-0565", + "title": "Email usage", "parts": [ { - "id": "control-0189-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0190", - "title": "Cable management", + "id": "control-1023", + "title": "Email usage", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1114", - "title": "Cable management", + "id": "control-0269", + "title": "Email usage", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] }, { - "id": "control-1130", - "title": "Cable management", + "id": "control-1539", + "title": "Email usage", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1539-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1164", - "title": "Cable management", + "id": "control-0039", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-1164-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0195", - "title": "Cable management", + "id": "control-0047", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-0194", - "title": "Cable management", + "id": "control-0888", + "title": "Development and maintenance of security documentation", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1102", - "title": "Cable management", + "id": "control-0041", + "title": "System-specific security documentation", "parts": [ { - "id": "control-1102-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Systems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1101", - "title": "Cable management", + "id": "control-0043", + "title": "System-specific security documentation", "parts": [ { - "id": "control-1101-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Systems have an IRP that covers the following:\n§ guidelines on what constitutes a cyber security incident\n§ the types of incidents likely to be encountered and the expected response to each type\n§ how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n§ other parties which need to be informed in the event of a cyber security incident\n§ the authority, or authorities, responsible for investigating and responding to cyber security incidents\n§ the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n§ the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n§ system contingency measures or a reference to such details if they are located in a separate document." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1103", - "title": "Cable management", + "id": "control-0252", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1103-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Ongoing cyber security awareness training is provided to personnel and includes:\n§ the purpose of the cyber security awareness training\n§ security appointments and contacts within the organisation\n§ the authorised use of systems and their resources\n§ the protection of systems and their resources\n§ reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1098", - "title": "Cable management", + "id": "control-0817", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-1100", - "title": "Cable management", + "id": "control-0820", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1116", - "title": "Cable management", + "id": "control-1146", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1115", - "title": "Cable management", + "id": "control-0821", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1133", - "title": "Cable management", + "id": "control-0824", + "title": "Cyber security awareness training", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1122", - "title": "Cable management", + "id": "control-0432", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1122-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Each system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." } ] }, { - "id": "control-1134", - "title": "Cable management", + "id": "control-0434", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1134-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1104", - "title": "Cable management", + "id": "control-0435", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1105", - "title": "Cable management", + "id": "control-0414", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1105-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1106", - "title": "Cable management", + "id": "control-0415", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1106-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1107", - "title": "Cable management", + "id": "control-0975", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1107-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1109", - "title": "Cable management", + "id": "control-0420", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0198", - "title": "Cable management", + "id": "control-1538", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1123", - "title": "Cable management", + "id": "control-0405", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1123-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1135", - "title": "Cable management", + "id": "control-1503", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media", + "id": "control-0409", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media", + "id": "control-0411", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0161", - "title": "ICT equipment and media", + "id": "control-0816", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0161-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1507", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0225", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1508", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0829", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0445", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1058", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1509", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0222", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-1175", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0222-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0223", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0448", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with unprotected windows." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0224", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0446", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n§ line of sight and reflected communications travelling into unsecured spaces\n§ multiple infrared keyboards for different systems being used in the same area\n§ other infrared devices being used in the same area\n§ infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-0221", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "control-0447", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities and systems", + "id": "control-1545", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0810-stmt", + "id": "control-1545-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." } ] }, { - "id": "control-1053", - "title": "Facilities and systems", + "id": "control-0430", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1530", - "title": "Facilities and systems", + "id": "control-1404", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1530-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-0813", - "title": "Facilities and systems", + "id": "control-0407", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A secure record is maintained for the life of each system covering:\n§ all personnel authorised to access the system, and their user identification\n§ who provided authorisation for access\n§ when access was granted\n§ the level of access that was granted\n§ when access, and the level of access, was last reviewed\n§ when the level of access was changed, and to what extent (if applicable)\n§ when access was withdrawn (if applicable)." } ] }, { - "id": "control-1074", - "title": "Facilities and systems", + "id": "control-0441", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0157", - "title": "Facilities and systems", + "id": "control-0443", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1296", - "title": "Facilities and systems", + "id": "control-0078", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0164", - "title": "Facilities and systems", + "id": "control-0854", + "title": "Access to systems and their resources", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] } @@ -7330,895 +7392,833 @@ ] }, { - "id": "guidelines_for_data_transfers_and_content_filtering", - "title": "Guidelines for Data Transfers and Content Filtering", + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", "groups": [ { - "id": "content_filtering", - "title": "Content filtering", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-0659", - "title": "Content filtering", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0659-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-0546", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1524-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0651", - "title": "Content filtering", + "id": "control-0547", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0652", - "title": "Content filtering", + "id": "control-0548", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1389", - "title": "Content filtering", + "id": "control-0554", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1389-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-1284", - "title": "Content filtering", + "id": "control-0553", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1286", - "title": "Content filtering", + "id": "control-0555", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1286-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1287", - "title": "Content filtering", + "id": "control-0551", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1287-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "IP telephony is configured such that:\n§ IP phones authenticate themselves to the call controller upon registration\n§ auto-registration is disabled and only authorised devices are allowed to access the network\n§ unauthorised devices are blocked by default\n§ all unused and prohibited functionality is disabled." } ] }, { - "id": "control-1288", - "title": "Content filtering", + "id": "control-1014", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1288-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-1289", - "title": "Content filtering", + "id": "control-0549", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-1290", - "title": "Content filtering", + "id": "control-0556", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1290-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-1291", - "title": "Content filtering", + "id": "control-1015", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0649", - "title": "Content filtering", + "id": "control-0558", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A whitelist of allowed content types is implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1292", - "title": "Content filtering", + "id": "control-0559", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0677", - "title": "Content filtering", + "id": "control-1450", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-0677-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-1293", - "title": "Content filtering", + "id": "control-1019", + "title": "Video conferencing and Internet Protocol telephony", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "A denial of service response plan is developed and implemented that includes:\n§ how to identify signs of a denial of service\n§ how to identify the source of a denial of service\n§ how capabilities can be maintained during a denial of service\n§ what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0663", - "title": "Data transfers", - "parts": [ - { - "id": "control-0663-stmt", - "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." - } - ] - }, - { - "id": "control-0661", - "title": "Data transfers", - "parts": [ - { - "id": "control-0661-stmt", - "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." - } - ] - }, - { - "id": "control-0665", - "title": "Data transfers", - "parts": [ - { - "id": "control-0665-stmt", - "name": "statement", - "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." - } - ] - }, - { - "id": "control-0675", - "title": "Data transfers", + "id": "control-1078", + "title": "Telephone systems", "parts": [ { - "id": "control-0675-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0664", - "title": "Data transfers", + "id": "control-0229", + "title": "Telephone systems", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0657", - "title": "Data transfers", + "id": "control-0230", + "title": "Telephone systems", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0658", - "title": "Data transfers", + "id": "control-0231", + "title": "Telephone systems", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-1187", - "title": "Data transfers", + "id": "control-0232", + "title": "Telephone systems", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0669", - "title": "Data transfers", + "id": "control-0233", + "title": "Telephone systems", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n§ protective marking checks\n§ data format checks and logging\n§ monitoring to detect overuse/unusual usage patterns\n§ limitations on data types and sizes\n§ keyword searches on all textual data." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-1535", - "title": "Data transfers", + "id": "control-0235", + "title": "Telephone systems", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0678", - "title": "Data transfers", + "id": "control-0236", + "title": "Telephone systems", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0667", - "title": "Data transfers", + "id": "control-0931", + "title": "Telephone systems", "parts": [ { - "id": "control-0667-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0660", - "title": "Data transfers", + "id": "control-0237", + "title": "Telephone systems", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0673", - "title": "Data transfers", + "id": "control-0588", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0673-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1294", - "title": "Data transfers", + "id": "control-1092", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1295", - "title": "Data transfers", + "id": "control-0241", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1295-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment_management", - "title": "Guidelines for ICT Equipment Management", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1075", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0590", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0245", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0589", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1036", + "title": "Fax machines and multifunction devices", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0315", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1510", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1218", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1547", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0312", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1548", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0317", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1511", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1219", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1512", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-1220", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1513", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-1221", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1514", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0318", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1515", + "title": "Data backup and restoration", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1534", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1516", + "title": "Data backup and restoration", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1076", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1211", + "title": "Change management", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n§ identification and documentation of requests for change\n§ approval required for changes to be made\n§ implementation and testing of approved changes\n§ the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1222", - "title": "ICT equipment sanitisation and disposal", + "id": "control-0042", + "title": "System administration", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1223", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1380", + "title": "System administration", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n§ following device-specific guidance provided by the ACSC\n§ following vendor sanitisation guidance\n§ loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, - { - "id": "control-1225", - "title": "ICT equipment sanitisation and disposal", + { + "id": "control-1382", + "title": "System administration", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1226", - "title": "ICT equipment sanitisation and disposal", + "id": "control-1381", + "title": "System administration", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "ICT equipment maintenance and repairs", + "id": "control-1383", + "title": "System administration", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-0305", - "title": "ICT equipment maintenance and repairs", + "id": "control-1384", + "title": "System administration", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." } ] }, { - "id": "control-0307", - "title": "ICT equipment maintenance and repairs", + "id": "control-1385", + "title": "System administration", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0306", - "title": "ICT equipment maintenance and repairs", + "id": "control-1386", + "title": "System administration", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n§ is appropriately cleared and briefed\n§ takes due care to ensure that information is not disclosed\n§ takes all responsible measures to ensure the integrity of the ICT equipment\n§ has the authority to direct the technician\n§ is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-0310", - "title": "ICT equipment maintenance and repairs", + "id": "control-1387", + "title": "System administration", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-0944", - "title": "ICT equipment maintenance and repairs", + "id": "control-1388", + "title": "System administration", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1551", - "title": "ICT equipment usage", + "id": "control-1143", + "title": "System patching", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-0293", - "title": "ICT equipment usage", + "id": "control-1493", + "title": "System patching", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0294", - "title": "ICT equipment usage", + "id": "control-1144", + "title": "System patching", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0296", - "title": "ICT equipment usage", - "parts": [ - { - "id": "control-0296-stmt", - "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ - { - "id": "control-0714", - "title": "Chief Information Security Officer", + "id": "control-0940", + "title": "System patching", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1478", - "title": "Chief Information Security Officer", + "id": "control-1472", + "title": "System patching", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System owners", + "id": "control-1494", + "title": "System patching", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1525", - "title": "System owners", + "id": "control-1495", + "title": "System patching", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0027", - "title": "System owners", + "id": "control-1496", + "title": "System patching", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1526", - "title": "System owners", + "id": "control-0300", + "title": "System patching", "parts": [ { - "id": "control-1526-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-0100", - "title": "Information technology and cloud services", + "id": "control-0298", + "title": "System patching", "parts": [ { - "id": "control-0100-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1395", - "title": "Information technology and cloud services", + "id": "control-0303", + "title": "System patching", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1529", - "title": "Information technology and cloud services", + "id": "control-1497", + "title": "System patching", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-0873", - "title": "Information technology and cloud services", + "id": "control-1498", + "title": "System patching", "parts": [ { - "id": "control-0873-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-0072", - "title": "Information technology and cloud services", + "id": "control-1499", + "title": "System patching", "parts": [ { - "id": "control-0072-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1073", - "title": "Information technology and cloud services", + "id": "control-1500", + "title": "System patching", "parts": [ { - "id": "control-1073-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1451", - "title": "Information technology and cloud services", + "id": "control-0304", + "title": "System patching", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1452", - "title": "Information technology and cloud services", + "id": "control-1501", + "title": "System patching", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_March_2021/catalog.json b/ISM_catalog_profile/catalogs/ISM_March_2021/catalog.json index 9bb6791..c4f686e 100644 --- a/ISM_catalog_profile/catalogs/ISM_March_2021/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_March_2021/catalog.json @@ -1,1301 +1,1135 @@ { "catalog": { - "uuid": "8f4727ea-c934-43e7-9383-bd6c9992795a", + "uuid": "f0008097-1730-45d7-b54b-b4049bd485f4", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:23.771+00:00", + "last-modified": "2022-04-28T11:43:43.817786+10:00", "version": "March_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." - } - ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ - { - "id": "control-1510", - "title": "Digital preservation policy", - "parts": [ - { - "id": "control-1510-stmt", - "name": "statement", - "prose": "A digital preservation policy is developed and implemented." - } - ] - }, - { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", - "parts": [ - { - "id": "control-1547-stmt", - "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", - "parts": [ - { - "id": "control-1548-stmt", - "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." - } - ] - }, - { - "id": "control-1511", - "title": "Performing backups", - "parts": [ - { - "id": "control-1511-stmt", - "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." - } - ] - }, - { - "id": "control-1512", - "title": "Backup storage", - "parts": [ - { - "id": "control-1512-stmt", - "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." - } - ] - }, - { - "id": "control-1513", - "title": "Backup storage", - "parts": [ - { - "id": "control-1513-stmt", - "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." - } - ] - }, - { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1514-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1515-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] } ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ + }, { - "id": "firewalls", - "title": "Firewalls", + "id": "email_usage", + "title": "Email usage", "controls": [ { - "id": "control-1528", - "title": "Using firewalls", - "parts": [ - { - "id": "control-1528-stmt", - "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-0639", - "title": "Using firewalls", - "parts": [ - { - "id": "control-0639-stmt", - "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." - } - ] - }, - { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", - "parts": [ - { - "id": "control-0642-stmt", - "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." - } - ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ - { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-0631-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1427-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0634-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0637-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0336", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "ICT equipment and media are secured when not in use." } ] - }, + } + ] + }, + { + "id": "facilities_and_systems", + "title": "Facilities and systems", + "controls": [ { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0613-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0616", - "title": "Gateway administration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0616-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0629-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0619-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1039-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] } ] }, { - "id": "diodes", - "title": "Diodes", + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", "controls": [ { - "id": "control-0643", - "title": "Using diodes", - "parts": [ - { - "id": "control-0643-stmt", - "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-0645", - "title": "Using diodes", - "parts": [ - { - "id": "control-0645-stmt", - "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." - } - ] - }, - { - "id": "control-1157", - "title": "Using diodes", - "parts": [ - { - "id": "control-1157-stmt", - "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." - } - ] - }, - { - "id": "control-1158", - "title": "Using diodes", - "parts": [ - { - "id": "control-1158-stmt", - "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." - } - ] - }, - { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0648", - "title": "Volume checking", - "parts": [ - { - "id": "control-0648-stmt", - "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." - } - ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ - { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1389-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_management", + "title": "Mobile device management", + "controls": [ { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1289-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1290-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0649-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0677", - "title": "Data integrity", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-0677-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-1293", - "title": "Encrypted data", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ + }, { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0626-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0627-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0635-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0610-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0961-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0996-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0958-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_proxies", - "title": "Web proxies", - "controls": [ + }, { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0261-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0594-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] } @@ -1388,748 +1222,842 @@ ] }, { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", "groups": [ { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1578-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-1580-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + } + ] + }, + { + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", + "parts": [ + { + "id": "control-0249-stmt", + "name": "statement", + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + } + ] + }, + { + "id": "control-0246", + "title": "Early identification of emanation security issues", + "parts": [ + { + "id": "control-0246-stmt", + "name": "statement", + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + } + ] + }, + { + "id": "control-0250", + "title": "Industry and government standards", + "parts": [ + { + "id": "control-0250-stmt", + "name": "statement", + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + } + ] + } + ] + }, + { + "id": "cabling_infrastructure", + "title": "Cabling infrastructure", + "controls": [ + { + "id": "control-0181", + "title": "Cabling infrastructure standards", + "parts": [ + { + "id": "control-0181-stmt", + "name": "statement", + "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." + } + ] + }, + { + "id": "control-1111", + "title": "Use of fibre-optic cables", + "parts": [ + { + "id": "control-1111-stmt", + "name": "statement", + "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." + } + ] + }, + { + "id": "control-0211", + "title": "Cable register", + "parts": [ + { + "id": "control-0211-stmt", + "name": "statement", + "prose": "A cable register is maintained and regularly audited." + } + ] + }, + { + "id": "control-0208", + "title": "Cable register", + "parts": [ + { + "id": "control-0208-stmt", + "name": "statement", + "prose": "Cable registers contain the following information:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + } + ] + }, + { + "id": "control-0206", + "title": "Cable labelling process and procedures", + "parts": [ + { + "id": "control-0206-stmt", + "name": "statement", + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1639", + "title": "Labelling building management cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1639-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1640", + "title": "Labelling cables for foreign systems in Australian facilities", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1640-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "Cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1112", + "title": "Cable inspectability", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-1118", + "title": "Cable inspectability", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-1119", + "title": "Cable inspectability", "parts": [ { - "id": "control-1435-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1126", + "title": "Cable inspectability", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-0184", + "title": "Cable inspectability", "parts": [ { - "id": "control-1518-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-0187", + "title": "Cable groups", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "The cable groups in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single cable group." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "With fibre-optic cables contains subunits, each subunit only carries a single cable group; however, each subunit can carry a different cable group." } ] }, { - "id": "control-1316", - "title": "Default Service Set Identifiers", + "id": "control-1114", + "title": "Common cable reticulation systems", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1319-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on cable reticulation systems." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1320-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-0201", + "title": "Labelling conduits", "parts": [ { - "id": "control-1321-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "In shared non-government facilities, cables are not run in party walls." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different classifications." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Different cables groups do not share a wall outlet box." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Wall outlet boxes denote the classifications, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-1334-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "If fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1335-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "In non-TOP SECRET areas, cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network documentation", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0516-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0213", + "title": "Terminating cable groups on patch panels", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Different cable groups do not terminate on the same patch panel." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-1116", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-0216", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1577-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-0217", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1532-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-1631", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1631-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Components and services relevant to the security of systems are identified and understood." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Suppliers and service providers identified as high risk are not used." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-1632", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1632-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1637", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1637-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "An outsourced cloud services register is maintained and regularly audited." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1638", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1638-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1628-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } @@ -2138,2537 +2066,2477 @@ ] }, { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", "groups": [ { - "id": "web_application_development", - "title": "Web application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-1239-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Web browsers are configured to block web advertisements." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + } + ] + }, + { + "id": "control-1488", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1488-stmt", + "name": "statement", + "prose": "Microsoft Office macros in documents originating from the internet are blocked." + } + ] + }, + { + "id": "control-1489", + "title": "Microsoft Office macros", + "parts": [ + { + "id": "control-1489-stmt", + "name": "statement", + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] } ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ + }, { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", + "id": "operating_system_hardening", + "title": "Operating system hardening", "controls": [ { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-0551-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0559-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-1019-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1269-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1270-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0393-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-1274-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1275-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1603", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1055", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1620", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Privileged accounts are members of the Protected Users security group." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0272-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0269-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", "controls": [ { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0569-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1589-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0574-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1183-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1152-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", - "parts": [ - { - "id": "control-1024-stmt", - "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", - "groups": [ - { - "id": "transport_layer_security", - "title": "Transport Layer Security", - "controls": [ - { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, - { - "id": "control-1372", - "title": "Using Transport Layer Security", + { + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Cyber security incidents are reported to the ACSC." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1629", - "title": "Using Diffie-Hellman", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1629-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0473-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1630", - "title": "Using the Digital Signature Algorithm", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-1630-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0474-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-0476-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", - "parts": [ - { - "id": "control-1468-stmt", - "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." - } - ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ - { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "The default SSID of wireless access points is changed." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1000-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1602-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1583-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1071", + "title": "System ownership and oversight", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1525", + "title": "System ownership and oversight", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "System owners register each system with its authorising officer." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1633", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1633-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1634", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1634-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1635", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1635-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "System owners implement identified security controls within each system and its operating environment." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1636", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1636-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0027", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1526", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1591-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1610-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1611-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] } @@ -4677,1864 +4545,1962 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0417-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "Data transfer logs are fully audited at least monthly." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ + { + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", + "parts": [ + { + "id": "control-0313-stmt", + "name": "statement", + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0321", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0321-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1595-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1619-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1219-stmt", + "name": "statement", + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + } + ] + }, + { + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", + "parts": [ + { + "id": "control-1220-stmt", + "name": "statement", + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + } + ] + }, + { + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-1603", - "title": "Insecure authentication methods", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1603-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-1055", - "title": "Insecure authentication methods", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-1620", - "title": "Insecure authentication methods", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1620-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0853-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1406-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1608-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1588-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, - { - "id": "control-0382", - "title": "Application management", + { + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-0955", - "title": "Application control", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "If supported, Microsoft’s exploit protection functionality is implemented on workstations and servers." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-1641", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1622-stmt", + "id": "control-1641-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "Following destruction of magnetic media using a degausser, the magnetic media is physically damaged by deforming the internal platters by any means prior to disposal." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1623-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1624-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "media_usage", + "title": "Media usage", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-0938-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1467-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] } ] }, { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1461-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-0582-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ + { + "id": "control-1506", + "title": "Configuring Secure Shell", + "parts": [ + { + "id": "control-1506-stmt", + "name": "statement", + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ + }, { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0123-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1629", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1629-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", - "parts": [ - { - "id": "control-0140-stmt", - "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." - } - ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ - { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1630-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0137-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1625-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1626-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ + }, { - "id": "mobile_device_usage", - "title": "Mobile device usage", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", "controls": [ { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Only AACPs are used by cryptographic equipment and software." + } + ] + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ + { + "id": "control-0494", + "title": "Mode of operation", + "parts": [ + { + "id": "control-0494-stmt", + "name": "statement", + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } @@ -6543,2479 +6509,2513 @@ ] }, { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", "groups": [ { - "id": "cabling_infrastructure", - "title": "Cabling infrastructure", + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", "controls": [ { - "id": "control-0181", - "title": "Cabling infrastructure standards", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0211", - "title": "Cable register", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "A cable register is maintained and regularly audited." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Cable registers contain the following information:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1639", - "title": "Labelling building management cables", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1639-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." + } + ] + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ + { + "id": "control-0432", + "title": "System access requirements", + "parts": [ + { + "id": "control-0432-stmt", + "name": "statement", + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-1640", - "title": "Labelling cables for foreign systems in Australian facilities", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-1640-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-1216-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "Cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1112", - "title": "Cable inspectability", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1118", - "title": "Cable inspectability", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1119", - "title": "Cable inspectability", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1126", - "title": "Cable inspectability", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0184", - "title": "Cable inspectability", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0187", - "title": "Cable groups", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "The cable groups in the following table are used (see source document for referenced table)." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single cable group." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "With fibre-optic cables contains subunits, each subunit only carries a single cable group; however, each subunit can carry a different cable group." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1114", - "title": "Common cable reticulation systems", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on cable reticulation systems." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1509", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1509-stmt", + "name": "statement", + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + } + ] + }, + { + "id": "control-1175", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1175-stmt", + "name": "statement", + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + } + ] + }, + { + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0201", - "title": "Labelling conduits", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in party walls." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different classifications." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1105-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Different cables groups do not share a wall outlet box." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1095-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classifications, cable identifiers and wall outlet box identifier." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-0213", - "title": "Terminating cable groups on patch panels", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Different cable groups do not terminate on the same patch panel." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1116", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0216", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-0216-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-0217", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-0217-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Test and development environments do not use the same database servers as production environments." } ] } ] }, { - "id": "emanation_security", - "title": "Emanation security", + "id": "databases", + "title": "Databases", "controls": [ { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-0932-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-0321", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0321-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0310-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1551-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0296-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0829-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0223-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-1074-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + } + ] + }, + { + "id": "control-0610", + "title": "User training", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] } ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ + }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "web_proxies", + "title": "Web proxies", "controls": [ { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] } ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ + }, { - "id": "media_destruction", - "title": "Media destruction", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", - "parts": [ - { - "id": "control-0363-stmt", - "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." - } - ] - }, - { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0350-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1641", - "title": "Degaussing magnetic media", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-1641-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Following destruction of magnetic media using a degausser, the magnetic media is physically damaged by deforming the internal platters by any means prior to disposal." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, - { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + { + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1549-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-1600-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "Individual logins are used for IP phones." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0378-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Traditional analog phones are used in public areas." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, - { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ + { + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1464-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ + }, { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", "controls": [ { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-1617-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0725-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0726-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0718-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0731-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", - "parts": [ - { - "id": "control-0735-stmt", - "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." - } - ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ - { - "id": "control-1071", - "title": "System ownership and oversight", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1525", - "title": "System ownership and oversight", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "System owners register each system with its authorising officer." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1633", - "title": "Protecting systems and their resources", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1633-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1634", - "title": "Protecting systems and their resources", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-1634-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1635", - "title": "Protecting systems and their resources", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1635-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "System owners implement identified security controls within each system and its operating environment." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1636", - "title": "Protecting systems and their resources", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1636-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0027", - "title": "Protecting systems and their resources", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1526", - "title": "Protecting systems and their resources", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-1631", - "title": "Cyber supply chain risk management", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1631-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are identified and understood." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "Suppliers and service providers identified as high risk are not used." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1632", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1632-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1637", - "title": "Outsourced cloud services", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1637-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "An outsourced cloud services register is maintained and regularly audited." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1638", - "title": "Outsourced cloud services", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1638-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "Outsourced cloud services registers contain the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of information involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_May_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_May_2020/catalog.json index 996b5a9..4c50230 100644 --- a/ISM_catalog_profile/catalogs/ISM_May_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_May_2020/catalog.json @@ -1,748 +1,731 @@ { "catalog": { - "uuid": "a55d071d-ebe5-4198-91b6-3189cca02c2c", + "uuid": "1a0d747a-19be-413d-b3d3-38e1998e91df", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:21:09.840+00:00", + "last-modified": "2022-04-28T11:45:12.904015+10:00", "version": "May_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1384-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1386-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media_management", + "title": "Guidelines for Media Management", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1472-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1494-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1495-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-0300-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0303-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1497-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1498-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1500-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-0304-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1501-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1547-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1548-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1512", - "title": "Backup storage", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1512-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1513-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1516-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email_management", - "title": "Guidelines for Email Management", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0270-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0271-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0345", + "title": "External interface connections that allow Direct Memory Access", "parts": [ { - "id": "control-0565-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "External interface connections that allow DMA are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1539", - "title": "Email distribution lists", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1539-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] } ] }, { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-0570-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-0567-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0574-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-1151-stmt", - "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." - } - ] - }, - { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0861-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1026-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-1027-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-0947", + "title": "Sanitising media prior to reuse", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "All media is sanitised prior to reuse." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1464", + "title": "Encrypted media", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] } @@ -751,3841 +734,3834 @@ ] }, { - "id": "guidelines_for_media_management", - "title": "Guidelines for Media Management", + "id": "guidelines_for_ict_equipment_management", + "title": "Guidelines for ICT Equipment Management", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1160-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency or certified by the United Kingdom’s National Cyber Security Centre are used." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0368-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0362-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0370-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1359-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-0323-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-0345", - "title": "External interface connections that allow Direct Memory Access", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "External interface connections that allow DMA are disabled." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateway_management", + "title": "Guidelines for Gateway Management", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1059", - "title": "Handling media", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1059-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] } ] }, { - "id": "media_sanitisation", - "title": "Media sanitisation", + "id": "diodes", + "title": "Diodes", "controls": [ { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", - "parts": [ + "id": "control-1522", + "title": "Separation of data flows", + "parts": [ { - "id": "control-0360-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-0947", - "title": "Sanitising media prior to reuse", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "All media is sanitised prior to reuse." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-1464", - "title": "Encrypted media", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + } + ] + }, + { + "id": "control-0610", + "title": "User training", + "parts": [ + { + "id": "control-0610-stmt", + "name": "statement", + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] } ] - } - ] - }, - { - "id": "guidelines_for_using_cryptography", - "title": "Guidelines for Using Cryptography", - "groups": [ + }, { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1139-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1372-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1448-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "web_content_and_connections", + "title": "Web content and connections", + "controls": [ { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0260", + "title": "Web proxies", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-0261", + "title": "Web proxies", "parts": [ { - "id": "control-1375-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-1553-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1446-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0963", + "title": "Web content filter", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0961", + "title": "Web content filter", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1237", + "title": "Web content filter", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1054-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• are protected by authentication, logging and auditing of all physical and logical access to gateway components\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-1468-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0501-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-1091-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0506-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1506-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0484-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0485-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-1449-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0487-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0489-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", "controls": [ { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-0336", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0481-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0490-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "All ICT equipment and media are accounted for on a regular basis." + } + ] + }, + { + "id": "control-0161", + "title": "Securing ICT equipment and media", + "parts": [ + { + "id": "control-0161-stmt", + "name": "statement", + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-1161-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0459-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0462-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0465-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0467-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0494-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0496-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1233-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0497-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ + { + "id": "mobile_device_management", + "title": "Mobile device management", + "controls": [ { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1001-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Privately-owned mobile devices do not access highly classified systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ + }, { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0280-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0285-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] - } - ] - }, - { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", - "controls": [ + }, { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-0289-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0290-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1424-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-0971-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Software development, testing and production environments are segregated." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1420-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1422-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] - }, + } + ] + }, + { + "id": "mobile_device_usage", + "title": "Mobile device usage", + "controls": [ { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0402-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1562-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0547-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0548-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0553-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0555-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ + { + "id": "control-0280", + "title": "Evaluated product selection", + "parts": [ + { + "id": "control-0280-stmt", + "name": "statement", + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "telephone_systems", - "title": "Telephone systems", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0229-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0230-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers_and_content_filtering", + "title": "Guidelines for Data Transfers and Content Filtering", + "groups": [ + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ + { + "id": "control-0659", + "title": "Content filtering", + "parts": [ + { + "id": "control-0659-stmt", + "name": "statement", + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0235-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0589-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] - } - ] - }, - { - "id": "guidelines_for_gateway_management", - "title": "Guidelines for Gateway Management", - "groups": [ + }, { - "id": "firewalls", - "title": "Firewalls", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-0639-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0675", + "title": "Trusted sources", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ + }, { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• are protected by authentication, logging and auditing of all physical and logical access to gateway components\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-0667", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1037-stmt", + "id": "control-0667-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-0673", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0612-stmt", + "id": "control-0673-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1520-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." } ] }, { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-1295", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0613-stmt", + "id": "control-1295-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." + "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ + { + "id": "emanation_security", + "title": "Emanation security", + "controls": [ { - "id": "control-0616", - "title": "Gateway administration", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0616-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "diodes", - "title": "Diodes", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0643-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0645-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1158-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-0646-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ + }, { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-0627-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1521-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1522-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1523-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-0610-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] - } - ] - }, - { - "id": "web_content_and_connections", - "title": "Web content and connections", - "controls": [ + }, { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-0258-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] }, { - "id": "control-0260", - "title": "Web proxies", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0261", - "title": "Web proxies", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0263-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0960-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1236-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-0963", - "title": "Web content filter", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-0963-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-0961", - "title": "Web content filter", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1237", - "title": "Web content filter", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-0593-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-0594-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + "prose": "Wall outlet box covers are clear plastic." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_network_management", - "title": "Guidelines for Network Management", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1458", - "title": "Determining essential online services", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1458-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1431", - "title": "Service provider denial of service strategies", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred by customers resulting from denial-of-service attacks\n• thresholds for notifying customers or turning off their online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1432-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] - }, + } + ] + }, + { + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", + "controls": [ { - "id": "control-1433", - "title": "Establishing contact details with service providers", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-1434", - "title": "Establishing contact details with service providers", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1436-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1437-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks and denial of service mitigation services", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-1438-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks and denial of service mitigation services", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-1441", - "title": "Using content delivery networks and denial of service mitigation services", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-1441-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] } ] }, { - "id": "wireless_networks", - "title": "Wireless networks", + "id": "cable_patching", + "title": "Cable patching", "controls": [ { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-1314-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0536-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1316", - "title": "Default Service Set Identifiers", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1317-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1318-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-1319-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1320-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1395", + "title": "Using outsourced information technology and cloud services", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1529", + "title": "Using outsourced information technology and cloud services", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-0873", + "title": "Foreign owned service providers and offshore services", "parts": [ { - "id": "control-1324-stmt", + "id": "control-0873-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-0072", + "title": "Contractual arrangements", "parts": [ { - "id": "control-1323-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1073", + "title": "Contractual arrangements", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1451", + "title": "Data ownership", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-1330-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1335-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "Web browsers are configured to block Java from the internet." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network documentation", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0516-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1178-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0529-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." } ] }, { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1428-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0520-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "Users do not have the ability to install, uninstall or disable software." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-1301-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0534-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1460", - "title": "Functional separation between server-side computing environments", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-1460-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n• the underlying operating system running on the server is hardened\n• patches are applied to the isolation mechanism and underlying operating system in a timely manner\n• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1462", - "title": "Functional separation between server-side computing environments", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-1461", - "title": "Functional separation between server-side computing environments", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", - "parts": [ + "id": "control-1390", + "title": "Antivirus software", + "parts": [ { - "id": "control-0041-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1418", + "title": "Endpoint device control software", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability assessments, vulnerability scans and penetration tests for systems at least annually throughout their life cycle to identify security vulnerabilities\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Ongoing cyber security awareness training is provided to personnel and includes:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• the authorised use of systems and their resources\n• the protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0821-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0824-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0434", - "title": "Security clearances, briefings and user identification", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-0435", - "title": "Security clearances, briefings and user identification", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-0414", - "title": "Security clearances, briefings and user identification", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0415", - "title": "Security clearances, briefings and user identification", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0415-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0975", - "title": "Security clearances, briefings and user identification", + "id": "control-0976", + "title": "Resetting passwords/passphrases", "parts": [ { - "id": "control-0975-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." } ] }, { - "id": "control-0420", - "title": "Security clearances, briefings and user identification", + "id": "control-1227", + "title": "Resetting passwords/passphrases", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." } ] }, { - "id": "control-1538", - "title": "Security clearances, briefings and user identification", + "id": "control-1055", + "title": "Password/passphrase authentication", "parts": [ { - "id": "control-1538-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0405-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Credentials are protected by ensuring:\n• passwords/passphrases expire every 12 months\n• passwords/passphrases are stored as salted hashes\n• password/passphrase stretching is implemented\n• passwords/passphrases that are compromised are revoked\n• passwords/passphrases are never sent in the clear across networks." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0409-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-0411-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0816", - "title": "Standard access to systems by foreign nationals", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0816-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, - { - "id": "control-1507", - "title": "Privileged access to systems", - "parts": [ - { - "id": "control-1507-stmt", - "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." - } - ] - }, - { - "id": "control-1508", - "title": "Privileged access to systems", - "parts": [ - { - "id": "control-1508-stmt", - "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." - } - ] - }, - { - "id": "control-0445", - "title": "Privileged access to systems", - "parts": [ - { - "id": "control-0445-stmt", - "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." - } - ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1509-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Software development, testing and production environments are segregated." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1545", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1545-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1404-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-0441-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-0443-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-0078-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] } @@ -4594,2739 +4570,2825 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_using_cryptography", + "title": "Guidelines for Using Cryptography", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "secure_shell", + "title": "Secure Shell", "controls": [ { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1504-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "If using cryptographic equipment or software that implements an AACA, only AACAs can be used." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-0976", - "title": "Resetting passwords/passphrases", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1227", - "title": "Resetting passwords/passphrases", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "Password/passphrase resets are random for each individual reset, not reused when resetting multiple accounts, and not based on another identifying factor such as the user’s name or the date." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1055", - "title": "Password/passphrase authentication", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1402-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "Credentials are protected by ensuring:\n• passwords/passphrases expire every 12 months\n• passwords/passphrases are stored as salted hashes\n• password/passphrase stretching is implemented\n• passwords/passphrases that are compromised are revoked\n• passwords/passphrases are never sent in the clear across networks." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0428-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0408-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Only server-initiated secure renegotiation is used." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for Standard Operating Environments (SOEs)." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1408-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1409-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0380-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1491-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1410-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1469-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Users do not have the ability to install, uninstall or disable software." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, - { - "id": "control-1392", - "title": "Application control", + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ + { + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and Exploit protection", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1492-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "If supported, Microsoft's 'Exploit protection' functionality is implemented on workstations and servers." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1416-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1418", - "title": "Endpoint device control software", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Endpoint device control software is implemented on workstations and servers to prevent unauthorised devices from being used." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "If using cryptographic equipment or software that implements an AACP, only AACAs can be used." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1467", - "title": "Application versions", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1412-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_network_management", + "title": "Guidelines for Network Management", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-1458", + "title": "Determining essential online services", "parts": [ { - "id": "control-1235-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-1431", + "title": "Service provider denial of service strategies", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred by customers resulting from denial-of-service attacks\n• thresholds for notifying customers or turning off their online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-1488-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-1433", + "title": "Establishing contact details with service providers", "parts": [ { - "id": "control-1489-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "24x7 contact details are maintained for service providers and service providers maintain 24x7 contact details for their customers." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-1434", + "title": "Establishing contact details with service providers", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-1405-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0988-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0584-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to external media\n• user or group management\n• use of special privileges." + "prose": "A cloud service provider, preferably multiple different cloud service providers, is used for hosting online services." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-1438", + "title": "Using content delivery networks and denial of service mitigation services", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1439", + "title": "Using content delivery networks and denial of service mitigation services", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-1441", + "title": "Using content delivery networks and denial of service mitigation services", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "Where a requirement for high availability exists for online services, a denial of service mitigation service is used." + } + ] + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ + { + "id": "control-1314", + "title": "Choosing wireless access points", + "parts": [ + { + "id": "control-1314-stmt", + "name": "statement", + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "SSID broadcasting is enabled on wireless networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0125-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0133-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems_management", - "title": "Guidelines for Database Systems Management", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + } + ] + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ + { + "id": "control-0516", + "title": "Network documentation", + "parts": [ + { + "id": "control-0516-stmt", + "name": "statement", + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1272-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1247-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1364-stmt", + "name": "statement", + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + } + ] + }, + { + "id": "control-0535", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-0535-stmt", + "name": "statement", + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + } + ] + }, + { + "id": "control-0530", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-0530-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1250-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-1252-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1460", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware:\n• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner\n• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism\n• the underlying operating system running on the server is hardened\n• patches are applied to the isolation mechanism and underlying operating system in a timely manner\n• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1462", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1461", + "title": "Functional separation between server-side computing environments", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage, including public network infrastructure." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0866-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1145-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-0871-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "Cyber security incidents are reported to the ACSC." } ] - }, + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-0870-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-1084-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0702-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems_management", + "title": "Guidelines for Database Systems Management", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1088-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1556-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "Information communicated between database servers and web applications is encrypted." } ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ + }, { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1195-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-0687-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "Prior to allowing privately-owned mobile devices to connect to an organisation’s systems, legal advice is sought." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1482-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "Personnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1202-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-0682-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1200-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1198-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0863", - "title": "Configuration control", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0863-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0864-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1365-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1366-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0201-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0203-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0204-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1525", + "title": "Responsibilities", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0027", + "title": "Responsibilities", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-1526", + "title": "Responsibilities", "parts": [ { - "id": "control-0211-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] } ] }, { - "id": "cable_patching", - "title": "Cable patching", + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", "controls": [ { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0714", + "title": "Cyber security leadership", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-1478", + "title": "Responsibilities", "parts": [ { - "id": "control-1093-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email_management", + "title": "Guidelines for Email Management", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0247-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0249-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable standards", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1215-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1216-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1111-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Emails containing AUSTEO or AGAO information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1539", + "title": "Email distribution lists", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1539-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Emails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1130-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1164-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability assessments, vulnerability scans and penetration tests for systems at least annually throughout their life cycle to identify security vulnerabilities\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1103-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Ongoing cyber security awareness training is provided to personnel and includes:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• the authorised use of systems and their resources\n• the protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-1098-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1100-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1133-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-1122-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Each system’s system security plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-0434", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1134-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-0435", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-0414", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1105-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-0415", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1106-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-0975", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1107-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0420", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "Where systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1538", + "title": "Security clearances, briefings and user identification", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1538-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Where systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-1123-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-0816", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0161-stmt", + "id": "control-0816-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0222-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-1545", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0810-stmt", + "id": "control-1545-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1530-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] } @@ -7335,895 +7397,833 @@ ] }, { - "id": "guidelines_for_data_transfers_and_content_filtering", - "title": "Guidelines for Data Transfers and Content Filtering", + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", "groups": [ { - "id": "content_filtering", - "title": "Content filtering", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-0659", - "title": "Content filtering", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0659-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-1524-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1389-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1284-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1286-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1287-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1288-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-1290-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0677", - "title": "Data integrity", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0677-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-1293", - "title": "Encrypted data", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-1293-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0663", - "title": "Data transfer process and procedures", - "parts": [ - { - "id": "control-0663-stmt", - "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." - } - ] - }, - { - "id": "control-0661", - "title": "User responsibilities", - "parts": [ - { - "id": "control-0661-stmt", - "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." - } - ] - }, - { - "id": "control-0665", - "title": "Trusted sources", - "parts": [ - { - "id": "control-0665-stmt", - "name": "statement", - "prose": "Trusted sources are a strictly limited number of personnel that have been authorised as such by an organisation’s CISO." - } - ] - }, - { - "id": "control-0675", - "title": "Trusted sources", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0675-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "A trusted source makes an informed decision to sign all data authorised for export from a security domain." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0667", - "title": "Monitoring data import and export", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0667-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Data exported from each security domain, including through a gateway, is only permitted once the classification has been assessed including a protective marking check." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "When importing data to each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0673", - "title": "Monitoring data import and export", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0673-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "When exporting data out of each security domain, by any means including through a gateway, the complete data transfer logs are audited at least monthly." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "When importing content to a security domain, including through a gateway, monthly audits of the imported content are performed." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-1295", - "title": "Monitoring data import and export", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-1295-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "When exporting content out of a security domain, including through a gateway, monthly audits of the exported content are performed." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment_management", - "title": "Guidelines for ICT Equipment Management", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, - { - "id": "control-1225", - "title": "Sanitising fax machines", + { + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Multi-factor authentication is used to authenticate users each time they perform privileged actions." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-0306-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", - "parts": [ - { - "id": "control-0296-stmt", - "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ - { - "id": "control-0714", - "title": "Cyber security leadership", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0714-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1478", - "title": "Responsibilities", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1525", - "title": "Responsibilities", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0027", - "title": "Responsibilities", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1526", - "title": "Responsibilities", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1526-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1395", - "title": "Using outsourced information technology and cloud services", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, the service provider provides an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1529", - "title": "Using outsourced information technology and cloud services", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "If using outsourced cloud services for highly classified information, public clouds are not used." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-0873", - "title": "Foreign owned service providers and offshore services", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0873-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "If using an outsourced information technology or cloud service, a service provider whose systems are located in Australia is used." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-0072", - "title": "Contractual arrangements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1073", - "title": "Contractual arrangements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1073-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider from outside Australian borders unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1451", - "title": "Data ownership", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "When entering into a contractual arrangement for outsourced information technology or cloud services, contractual ownership over an organisation’s data is explicitly retained." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_November_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_November_2020/catalog.json index b2f8244..6dec6b7 100644 --- a/ISM_catalog_profile/catalogs/ISM_November_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_November_2020/catalog.json @@ -1,2135 +1,2119 @@ { "catalog": { - "uuid": "0ec099be-b2e4-469c-968e-1915ea469985", + "uuid": "b48d4ae7-8d58-494e-8887-4b9a1b2a48b7", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:42.661+00:00", + "last-modified": "2022-04-28T11:44:19.724854+10:00", "version": "November_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1510-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0336", + "title": "ICT equipment and media register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0613", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0613-stmt", - "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." - } - ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", - "name": "statement", - "prose": "Roles for the administration of gateways are separated." - } - ] - }, - { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", - "parts": [ - { - "id": "control-1316-stmt", - "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ + { + "id": "control-1452", + "title": "Cyber supply chain risk management", + "parts": [ + { + "id": "control-1452-stmt", + "name": "statement", + "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "High risk suppliers and service providers are not used." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1395", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-0385-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1311-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1628-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + } + ] + }, + { + "id": "control-1073", + "title": "Access to systems and information by service providers", + "parts": [ + { + "id": "control-1073-stmt", + "name": "statement", + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + } + ] + }, + { + "id": "control-1576", + "title": "Access to systems and information by service providers", + "parts": [ + { + "id": "control-1576-stmt", + "name": "statement", + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } @@ -2138,4392 +2122,4364 @@ ] }, { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", "groups": [ { - "id": "web_application_development", - "title": "Web application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-1239-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "Web browsers are configured to block web advertisements." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1014-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-0549-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe) \n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-1450-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0230-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-0233-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-0236-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1270-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1271", - "title": "Network environment", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1272-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0393-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-1276-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1278-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1603", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-1055", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0267-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1620", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Privileged accounts are members of the Protected Users security group." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0271-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0272-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-1089-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0269-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1589-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0574-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1152-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", - "groups": [ + }, { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0123-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Cyber security incidents are reported to the ACSC." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", - "parts": [ + "id": "control-0125", + "title": "Cyber security incident register", + "parts": [ { - "id": "control-0471-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1446-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-1054-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0489", - "title": "SSH-agent", - "parts": [ + "id": "control-0536", + "title": "Wireless networks for public access", + "parts": [ { - "id": "control-0489-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "The default SSID of wireless access points is changed." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1000-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-0043", - "title": "Incident response plan", - "parts": [ + "id": "control-1577", + "title": "Network segmentation and segregation", + "parts": [ { - "id": "control-0043-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0888-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1602-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0432-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1583-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0420-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1525", + "title": "Gaining authorisation to operate systems", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-0027", + "title": "Gaining authorisation to operate systems", "parts": [ { - "id": "control-1507-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1526", + "title": "Monitoring cyber threats, security risks and security controls", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-1509-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0446-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-1591-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-1610-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1611-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1384-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1505-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1560-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0417-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0421-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1557-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1594-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1595-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1619-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0976-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-1603", - "title": "Unsecure authentication methods", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1603-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-1055", - "title": "Unsecure authentication methods", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1620", - "title": "Unsecure authentication methods", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1620-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1402-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1590-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0853-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", - "parts": [ + "id": "control-0310", + "title": "Off-site maintenance and repairs", + "parts": [ { - "id": "control-0428-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] } ] }, { - "id": "operating_system_hardening", - "title": "Operating system hardening", + "id": "ict_equipment_usage", + "title": "ICT equipment usage", "controls": [ { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1406-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1608-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1588-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-1408-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1584-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe) \n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1592-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-0843", - "title": "Application control", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-0843-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-0955-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1582-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-1392-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1622-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1623-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1624-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1390-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1418-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application selection", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1484-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1235-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] - }, + } + ] + }, + { + "id": "media_sanitisation", + "title": "Media sanitisation", + "controls": [ { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] - } - ] - }, - { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", - "controls": [ + }, { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1604-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1606-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1607-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0582-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1537-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0585-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-0859-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", + "controls": [ { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-0123-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-0140-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-0917-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0137-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1213-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0138-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] }, { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-0576-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1625-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1626-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Only server-initiated secure renegotiation is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1082-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1084-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1298-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] - }, + } + ] + }, + { + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", + "controls": [ { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1088-stmt", - "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." - } - ] - }, - { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", - "parts": [ - { - "id": "control-1300-stmt", - "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." - } - ] - }, - { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", - "parts": [ - { - "id": "control-1556-stmt", - "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." - } - ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ - { - "id": "control-1533", - "title": "Mobile device management policy", - "parts": [ - { - "id": "control-1533-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0869-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } @@ -6532,2032 +6488,2087 @@ ] }, { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", "groups": [ { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", "controls": [ { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0204-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-0206-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-0208", - "title": "Cable register", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-0214-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-1094-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0932-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0250-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable standards", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0825-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0826-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1215-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1216-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1114-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1164-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0195-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-1134-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1221-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1534-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1076-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-1223-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-0307-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-0306-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] - } - ] - }, - { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", - "controls": [ + }, { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-0296-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0336-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-1543-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0225-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] - }, + } + ] + }, + { + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", + "controls": [ { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0224-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0810-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-1053-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0813-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] } ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ + }, { - "id": "data_transfers", - "title": "Data transfers", + "id": "web_content_filters", + "title": "Web content filters", "controls": [ { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0665-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0658-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0678-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + } + ] + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ + { + "id": "control-0591", + "title": "Using peripheral switches", + "parts": [ + { + "id": "control-0591-stmt", + "name": "statement", + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1586-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + } + ] + }, + { + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", + "parts": [ + { + "id": "control-0594-stmt", + "name": "statement", + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] } ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ + }, { - "id": "media_destruction", - "title": "Media destruction", + "id": "gateways", + "title": "Gateways", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "All systems are protected from systems in other security domains by one or more gateways." + } + ] + }, + { + "id": "control-1192", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-1192-stmt", + "name": "statement", + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + } + ] + }, + { + "id": "control-0631", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-0631-stmt", + "name": "statement", + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-1517-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0371-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ { - "id": "media_usage", - "title": "Media usage", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-1549", - "title": "Media management policy", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0337-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0343-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0347-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "media_disposal", - "title": "Media disposal", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0352-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0835-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + } + ] + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ + { + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", + "parts": [ + { + "id": "control-0588-stmt", + "name": "statement", + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-0356-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0836-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] } @@ -8566,435 +8577,424 @@ ] }, { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", "groups": [ { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", "controls": [ { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", - "parts": [ - { - "id": "control-0714-stmt", - "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." - } - ] - }, - { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1617-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0725-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-0726-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0718-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-0731-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0735-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1525", - "title": "Gaining authorisation to operate systems", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0027", - "title": "Gaining authorisation to operate systems", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1526", - "title": "Monitoring cyber threats, security risks and security controls", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ + }, { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "High risk suppliers and service providers are not used." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Cyber supply chain risk management", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_October_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_October_2020/catalog.json index fb32917..1dae4a2 100644 --- a/ISM_catalog_profile/catalogs/ISM_October_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_October_2020/catalog.json @@ -1,3330 +1,3194 @@ { "catalog": { - "uuid": "06174980-e7db-4ba7-bd84-bb587771af73", + "uuid": "ea015ce5-8d8e-48a7-bf14-9a06dd08fc7a", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:47.370+00:00", + "last-modified": "2022-04-28T11:44:29.506974+10:00", "version": "October_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1510-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0336", + "title": "ICT equipment and media register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0613", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0613-stmt", - "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." - } - ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", - "name": "statement", - "prose": "Roles for the administration of gateways are separated." - } - ] - }, - { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", - "parts": [ - { - "id": "control-1316-stmt", - "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "High risk suppliers and service providers are not used." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1395", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1312-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", - "parts": [ - { - "id": "control-1185-stmt", - "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ - { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "application_development", - "title": "Application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0400", - "title": "Development environments", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe) \n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1075-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "PowerShell 2.0 and below is removed from operating systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1247-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1258-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-0267-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Service accounts are created as group Managed Service Accounts." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-1089-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1603", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1055", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-1023-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1620", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Privileged accounts are members of the Protected Users security group." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0572-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-1589-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-0574-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-1183-stmt", - "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." - } - ] - }, - { - "id": "control-1151", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-1151-stmt", - "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." - } - ] - }, - { - "id": "control-1152", - "title": "Sender Policy Framework", - "parts": [ - { - "id": "control-1152-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." } ] } @@ -3333,1309 +3197,1314 @@ ] }, { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", "groups": [ { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "application_development", + "title": "Application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1139-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1453-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "All web application content is offered exclusively using HTTPS." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", - "controls": [ + }, { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-0471-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-0994-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0474-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0475-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0476-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-0477-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Cyber security incidents are reported to the ACSC." } ] - }, + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-1054-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0480-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1232-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", - "parts": [ - { - "id": "control-1468-stmt", - "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." - } - ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ - { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-1091-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." } ] - }, + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-0576", + "title": "Intrusion detection and prevention policy", "parts": [ { - "id": "control-0499-stmt", + "id": "control-0576-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0505-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "A cloud service provider is used for hosting online services." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] - }, + } + ] + }, + { + "id": "wireless_networks", + "title": "Wireless networks", + "controls": [ { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-1080-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1563-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] } ] }, { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", + "id": "network_design_and_configuration", + "title": "Network design and configuration", "controls": [ { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0039-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-0047-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-1602-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1146-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0821-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0824-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1186", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-1186-stmt", + "name": "statement", + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + } + ] + }, + { + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0434-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0414-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-1583-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-0420-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0405-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-1525", + "title": "Gaining authorisation to operate systems", "parts": [ { - "id": "control-1175-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0027", + "title": "Gaining authorisation to operate systems", "parts": [ { - "id": "control-0448-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1526", + "title": "Monitoring cyber threats, security risks and security controls", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0447-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "System owners report the security status of each system to its authorising officer at least annually." + } + ] + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ + { + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", + "parts": [ + { + "id": "control-0714-stmt", + "name": "statement", + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1591-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1610-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1611-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] } @@ -4644,1842 +4513,1929 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1546-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-0974-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1384-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1559-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1561-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0417-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "Data transfer logs are fully audited at least monthly." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ + { + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", + "parts": [ + { + "id": "control-0313-stmt", + "name": "statement", + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1594-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1595-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1619-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0976-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-1603", - "title": "Unsecure authentication methods", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1603-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-1055", - "title": "Unsecure authentication methods", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-1620", - "title": "Unsecure authentication methods", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1620-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-0853", - "title": "Session termination", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-0853-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-1406-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1608-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-1588-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1407-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0380-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Standard users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe) \n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1592", - "title": "Application management", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1592-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0843-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1490-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-0955-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-1582", - "title": "Application control", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1392-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1544-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-0846-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "PowerShell 2.0 and below is removed from operating systems." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1622-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1623", - "title": "PowerShell", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1623-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1624-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-0345-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] } ] }, { - "id": "application_hardening", - "title": "Application hardening", + "id": "media_usage", + "title": "Media usage", "controls": [ { - "id": "control-0938", - "title": "Application selection", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-0938-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1467-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1541-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1470-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1487-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] } ] }, { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "media_sanitisation", + "title": "Media sanitisation", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1461-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-0582-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ + { + "id": "control-1506", + "title": "Configuring Secure Shell", + "parts": [ + { + "id": "control-1506-stmt", + "name": "statement", + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-0585", - "title": "Events log details", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-0586", - "title": "Event log protection", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0586-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-0991-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-0109-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1228-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ + }, { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-0123-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-0141-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1433-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1434-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] - } - ] - }, - { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", - "controls": [ + }, { - "id": "control-0125", - "title": "Cyber security incident register", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-0125-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0917-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0137-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-1609-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "3DES is used with three distinct keys." } ] - } - ] - }, - { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", - "controls": [ + }, { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-0120-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] } ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ + }, { - "id": "mobile_device_usage", - "title": "Mobile device usage", + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", "controls": [ { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0240-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0871-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1084-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0701-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0702-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "PFS is used for TLS connections." } ] - }, + } + ] + }, + { + "id": "cryptographic_system_management", + "title": "Cryptographic system management", + "controls": [ { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-1299-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] } ] }, { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", "controls": [ { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1195-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] }, { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-1297-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1085-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Only AACPs are used by cryptographic equipment and software." + } + ] + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ + { + "id": "control-0494", + "title": "Mode of operation", + "parts": [ + { + "id": "control-0494-stmt", + "name": "statement", + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1366-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } @@ -6488,2032 +6444,2087 @@ ] }, { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", "groups": [ { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", "controls": [ { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0203-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0204-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1096-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-0206-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." + } + ] + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ + { + "id": "control-0432", + "title": "System access requirements", + "parts": [ + { + "id": "control-0432-stmt", + "name": "statement", + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-1093-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-0214-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0248-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-1137-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-0445", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-0445-stmt", + "name": "statement", + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + } + ] + }, + { + "id": "control-1509", + "title": "Privileged access to systems", + "parts": [ + { + "id": "control-1509-stmt", + "name": "statement", + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + } + ] + }, + { + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0250-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] - } - ] - }, - { - "id": "cable_management", - "title": "Cable management", - "controls": [ + }, { - "id": "control-0181", - "title": "Cable standards", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0181-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0825-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1216-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1112-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1118-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1119-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0190-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-1114-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, - { - "id": "control-1115", - "title": "Cables in walls", + { + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-1115-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1106-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-1550-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1217-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0315-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-0317-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1220-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1221-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-0318-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-1534-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-1222-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1223-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1226-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "content_filtering", + "title": "Content filtering", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0307-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0306-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-1598-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] - } - ] - }, - { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", - "controls": [ + }, { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-0293-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0294-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0296-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0159-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0161-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "If data is signed, the signature is validated before the data is exported." + } + ] + }, + { + "id": "control-1293", + "title": "Encrypted data", + "parts": [ + { + "id": "control-1293-stmt", + "name": "statement", + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-1543-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0225-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-1058-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0222-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0223-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-0670", + "title": "Event logging", + "parts": [ + { + "id": "control-0670-stmt", + "name": "statement", + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + } + ] + }, + { + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0224-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-0221-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "web_proxies", + "title": "Web proxies", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", - "parts": [ - { - "id": "control-0164-stmt", - "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ - { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0665-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0658-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] - }, + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ { - "id": "control-1187", - "title": "Export of data", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0669-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1535-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1294-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ - { - "id": "media_destruction", - "title": "Media destruction", - "controls": [ + }, { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0350-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-1517-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0371-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ { - "id": "media_usage", - "title": "Media usage", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-1549", - "title": "Media management policy", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-1549-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0323", - "title": "Classifying media storing information", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0337-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0343-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0347-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0947-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "media_disposal", - "title": "Media disposal", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0352-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0835-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1065-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-1067-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + } + ] + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ + { + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", + "parts": [ + { + "id": "control-0588-stmt", + "name": "statement", + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-0356-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0836-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0358-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0359-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] } @@ -8522,435 +8533,424 @@ ] }, { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", "groups": [ { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", "controls": [ { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", - "parts": [ - { - "id": "control-0714-stmt", - "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." - } - ] - }, - { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1617-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0725-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-0726-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0718-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-0733-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of a business continuity and disaster recovery plan for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-0731-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0735-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1525", - "title": "Gaining authorisation to operate systems", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0027", - "title": "Gaining authorisation to operate systems", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1526", - "title": "Monitoring cyber threats, security risks and security controls", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ + }, { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "High risk suppliers and service providers are not used." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Cyber supply chain risk management", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_September_2020/catalog.json b/ISM_catalog_profile/catalogs/ISM_September_2020/catalog.json index c5a7395..6348888 100644 --- a/ISM_catalog_profile/catalogs/ISM_September_2020/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_September_2020/catalog.json @@ -1,7884 +1,7923 @@ { "catalog": { - "uuid": "d51b18d2-ded0-43e9-9123-33d0c5979f89", + "uuid": "b7c4ccd5-9d21-4f37-8502-92ad359fecb6", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:51.911+00:00", + "last-modified": "2022-04-28T11:44:38.268526+10:00", "version": "September_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate administrator workstations", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1382", - "title": "Separate administrator workstations", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1382-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1381", - "title": "Separate administrator workstations", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1383", - "title": "Separate administrator workstations", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1385-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1386-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0585", + "title": "Events log details", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "All administrative actions are conducted through a jump server." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] - } - ] - }, - { - "id": "system_patching", - "title": "System patching", - "controls": [ + }, { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." } ] }, { - "id": "control-1144", - "title": "When to patch security vulnerabilities", + "id": "control-1228", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1144-stmt", + "id": "control-1228-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ + { + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", + "controls": [ { - "id": "control-0940", - "title": "When to patch security vulnerabilities", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-0940-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1472", - "title": "When to patch security vulnerabilities", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1472-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1494", - "title": "When to patch security vulnerabilities", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1494-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1495", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1495-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1496", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1496-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." + "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0298-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1499-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1500-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0304-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-1501-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] - } - ] - }, - { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", - "controls": [ + }, { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1510-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1511", - "title": "Performing backups", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "Backups of important information, software and configuration settings are performed at least daily." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1512", - "title": "Backup storage", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1512-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1513", - "title": "Backup storage", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1513-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "Backups are stored at a multiple geographically-dispersed locations." + "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." } ] }, { - "id": "control-1514", - "title": "Retention periods for backups", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1514-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "Backups are stored for three months or greater." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1516", - "title": "Testing restoration of backups", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1516-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", - "groups": [ - { - "id": "firewalls", - "title": "Firewalls", - "controls": [ + }, { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1528-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ + { + "id": "control-0336", + "title": "ICT equipment and media register", + "parts": [ + { + "id": "control-0336-stmt", + "name": "statement", + "prose": "An ICT equipment and media register is maintained and regularly audited." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-0159", + "title": "ICT equipment and media register", "parts": [ { - "id": "control-0641-stmt", + "id": "control-0159-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "All ICT equipment and media are accounted for on a regular basis." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-0642-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "gateways", - "title": "Gateways", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-0628", - "title": "Gateway architecture and configuration", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-0628-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1192-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1427-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-0634-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-0637-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0164", + "title": "Preventing observation by unauthorised people", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0164-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] - }, + } + ] + }, + { + "id": "wireless_devices_and_radio_frequency_transmitters", + "title": "Wireless devices and Radio Frequency transmitters", + "controls": [ { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1543", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-0225", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-1520-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." + "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." } ] }, { - "id": "control-0613", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0613-stmt", - "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." - } - ] - }, - { - "id": "control-0616", - "title": "Gateway administration", - "parts": [ - { - "id": "control-0616-stmt", - "name": "statement", - "prose": "Roles for the administration of gateways are separated." - } - ] - }, - { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0829", + "title": "Radio Frequency devices", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0829-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-1058", + "title": "Bluetooth and wireless keyboards", "parts": [ { - "id": "control-0607-stmt", + "id": "control-1058-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." + "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-0222", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0619-stmt", + "id": "control-0222-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-0223", + "title": "Infrared keyboards", "parts": [ { - "id": "control-0620-stmt", + "id": "control-0223-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0224", + "title": "Infrared keyboards", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0224-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0221", + "title": "Wireless RF pointing devices", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0221-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", + "groups": [ { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0687", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1158-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0646-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privately-owned mobile devices do not access highly classified systems or information." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0651-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-1288-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-1289-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-1291-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." - } - ] - }, - { - "id": "control-0677", - "title": "Data integrity", - "parts": [ - { - "id": "control-0677-stmt", - "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." - } - ] - }, - { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0626-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0597-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1523-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] - } - ] - }, - { - "id": "web_content_filters", - "title": "Web content filters", - "controls": [ + }, { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1237-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-0263-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1170-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-0960-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1171-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1236-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] } ] }, { - "id": "web_proxies", - "title": "Web proxies", + "id": "evaluated_product_usage", + "title": "Evaluated product usage", "controls": [ { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0260-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0261-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ { - "id": "peripheral_switches", - "title": "Peripheral switches", + "id": "emanation_security", + "title": "Emanation security", "controls": [ { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0591-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1480-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", - "parts": [ - { - "id": "control-0594-stmt", - "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ - { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-0285-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0286-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", + "id": "cable_management", + "title": "Cable management", "controls": [ { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-0181", + "title": "Cable standards", "parts": [ { - "id": "control-0289-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0825", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0825-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0826", + "title": "Cable colours for foreign systems in Australian facilities", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0826-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1215", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1215-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1112", + "title": "Inspecting cables", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1118", + "title": "Inspecting cables", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1119", + "title": "Inspecting cables", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1126", + "title": "Inspecting cables", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-0184", + "title": "Inspecting cables", "parts": [ { - "id": "control-1439-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-0187", + "title": "Cable groupings", "parts": [ { - "id": "control-1431-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0189", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-0190", + "title": "Fibre-optic cables sharing a common conduit", "parts": [ { - "id": "control-1435-stmt", + "id": "control-0190-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1114", + "title": "Cables sharing a common reticulation system", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless access points", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "All wireless access points are Wi-Fi Alliance certified." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0536-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." - } - ] - }, - { - "id": "control-1316", - "title": "Default Service Set Identifiers", - "parts": [ - { - "id": "control-1316-stmt", - "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] }, { - "id": "control-1317", - "title": "Default Service Set Identifiers", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1317-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1318", - "title": "Default Service Set Identifiers", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1318-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] }, { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1116", + "title": "Cabinet separation", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1323-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Both device and user certificates are required for accessing wireless networks." + "prose": "In shared non-government facilities, cables are not run in a party wall." } ] }, { - "id": "control-1325", - "title": "Generating and issuing certificates for authentication", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1325-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1326", - "title": "Generating and issuing certificates for authentication", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1326-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." + "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1106", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1106-stmt", "name": "statement", - "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." + "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." } ] }, { - "id": "control-1332", - "title": "Encryption of wireless network traffic", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] } ] }, { - "id": "network_design_and_configuration", - "title": "Network design and configuration", + "id": "cable_labelling_and_registration", + "title": "Cable labelling and registration", "controls": [ { - "id": "control-0516", - "title": "Network documentation", + "id": "control-0201", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0516-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-0202", + "title": "Conduit label specifications", "parts": [ { - "id": "control-0518-stmt", + "id": "control-0202-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-0203", + "title": "Conduit label specifications", "parts": [ { - "id": "control-1178-stmt", + "id": "control-0203-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-0204", + "title": "Installing conduit labelling", "parts": [ { - "id": "control-1181-stmt", + "id": "control-0204-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." + "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-1364-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-0211", + "title": "Cable inspections", "parts": [ { - "id": "control-0535-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "Cables are inspected for inconsistencies with the cable register at least annually." } ] - }, + } + ] + }, + { + "id": "cable_patching", + "title": "Cable patching", + "controls": [ { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-0213", + "title": "Terminations to patch panels", "parts": [ { - "id": "control-0530-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Only approved cable groups terminate on a patch panel." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1093", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1093-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-0214", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1186-stmt", + "id": "control-0214-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1094", + "title": "Patch cable and fly lead connectors", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1094-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-0216", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1429-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-0217", + "title": "Physical separation of patch panels", "parts": [ { - "id": "control-1430-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-0520-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "High risk suppliers and service providers are not used." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1395", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1479-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1312-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + "prose": "Types of information and its ownership is documented in contractual arrangements." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", - "parts": [ - { - "id": "control-1185-stmt", - "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." - } - ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ - { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." } ] }, { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1073", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1576", + "title": "Access to systems and information by service providers", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ { - "id": "application_development", - "title": "Application development", + "id": "application_hardening", + "title": "Application hardening", "controls": [ { - "id": "control-0400", - "title": "Development environments", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0400-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1422-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-1484", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1238-stmt", + "id": "control-1484-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Web browsers are configured to block or disable support for Flash content." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Web browsers are configured to block web advertisements." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": "Web browsers are configured to block Java from the internet." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1541", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1541-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Microsoft Office is configured to disable support for Flash content." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0554-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0553-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Microsoft Office macros in documents originating from the internet are blocked." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0556-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "SOEs are reviewed and updated at least annually." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1407", + "title": "Operating system versions", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1408", + "title": "Operating system versions", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1450-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1019-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1078-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0232-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0233-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0235-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0931-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", - "parts": [ - { - "id": "control-0237-stmt", - "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." - } - ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ - { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-0590-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0245-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1414", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1414-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1492", + "title": "Enhanced Mitigation Experience Toolkit and exploit protection", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1269-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "Information communicated between database servers and web applications is encrypted." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-1270-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Antivirus software has reputation rating functionality enabled." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1273-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] } ] }, { - "id": "database_management_system_software", - "title": "Database management system software", + "id": "authentication_hardening", + "title": "Authentication hardening", "controls": [ { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1246-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Multi-factor authentication is used to authenticate standard users." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1384", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1384-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1256", - "title": "Protecting database contents", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." + "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1227", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1593", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1594", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1595", + "title": "Setting and resetting credentials", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-1603", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0270-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the information in their subject, body and attachments." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1055", + "title": "Unsecure authentication methods", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "LAN Manager is disabled for password/passphrase authentication." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-0272-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-1089-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Credentials are obscured as they are entered into systems." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-1023-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0269-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0569-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-0571-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0570-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0567-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0572-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1589-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0574-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-1462", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1462-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1152-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ + { + "id": "control-0400", + "title": "Development environments", + "parts": [ + { + "id": "control-0400-stmt", + "name": "statement", + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] }, { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1540-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1234-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1502-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] } ] - } - ] - }, - { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", - "groups": [ + }, { - "id": "transport_layer_security", - "title": "Transport Layer Security", + "id": "web_application_development", + "title": "Web application development", "controls": [ { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1369", - "title": "Using Transport Layer Security", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1369-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1370-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1373-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ + { + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", + "controls": [ + { + "id": "control-0123", + "title": "Reporting cyber security incidents", + "parts": [ + { + "id": "control-0123-stmt", + "name": "statement", + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1374-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "Cyber security incidents are reported to the ACSC." } ] } ] }, { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0472-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-1446-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-0474-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + } + ] + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ + { + "id": "control-0576", + "title": "Intrusion detection and prevention policy", + "parts": [ + { + "id": "control-0576-stmt", + "name": "statement", + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-0476-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + } + ] + } + ] + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ + { + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", + "controls": [ + { + "id": "control-1437", + "title": "Cloud-based hosting of online services", + "parts": [ + { + "id": "control-1437-stmt", + "name": "statement", + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-1054", - "title": "Approved hashing algorithms", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1054-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0479-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified information", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified information", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1468-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] - } - ] - }, - { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", - "controls": [ + }, { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + } + ] + }, + { + "id": "control-1518", + "title": "Preparing for service continuity", + "parts": [ + { + "id": "control-1518-stmt", + "name": "statement", + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] } ] }, { - "id": "secure_shell", - "title": "Secure Shell", + "id": "wireless_networks", + "title": "Wireless networks", "controls": [ { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1314", + "title": "Choosing wireless access points", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "All wireless access points are Wi-Fi Alliance certified." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-0484-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1316", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1317", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1318", + "title": "Default Service Set Identifiers", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] - } - ] - }, - { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", - "controls": [ + }, { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing physical storage and handling requirements", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-1161-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." + "prose": "Evaluated supplicants, authenticators and authentication servers are used in wireless networks." } ] }, { - "id": "control-0457", - "title": "Reducing physical storage and handling requirements", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-0460", - "title": "Reducing physical storage and handling requirements", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." + "prose": "Both device and user certificates are required for accessing wireless networks." } ] }, { - "id": "control-0459", - "title": "Encrypting information at rest", + "id": "control-1325", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1325-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "Both device and user certificates for accessing wireless networks are not stored on the same device." } ] }, { - "id": "control-0461", - "title": "Encrypting information at rest", + "id": "control-1326", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1326-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "User certificates for accessing wireless networks are issued on smart cards with access PINs." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important information at rest", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." + "prose": "User or device certificates stored on devices accessing wireless networks are protected by encryption." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Communications between wireless access points and a RADIUS server are encapsulated with an additional layer of encryption." } ] }, { - "id": "control-1162", - "title": "Encrypting information in transit", + "id": "control-1332", + "title": "Encryption of wireless network traffic", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." + "prose": "ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-0465", - "title": "Encrypting information in transit", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-0467", - "title": "Encrypting information in transit", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important information in transit", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + } + ] + }, + { + "id": "control-1013", + "title": "Wireless network footprint", + "parts": [ + { + "id": "control-1013-stmt", + "name": "statement", + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] } ] }, { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", + "id": "network_design_and_configuration", + "title": "Network design and configuration", "controls": [ { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-0494-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-0496-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0999-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1001-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, + { + "id": "control-0530", + "title": "Using Virtual Local Area Networks", + "parts": [ + { + "id": "control-0530-stmt", + "name": "statement", + "prose": "Network devices implementing VLANs are managed from the most trusted network." + } + ] + }, + { + "id": "control-0521", + "title": "Using Internet Protocol version 6", + "parts": [ + { + "id": "control-0521-stmt", + "name": "statement", + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + } + ] + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1163-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1563-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-1564-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-1602-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "Unused physical ports on network devices are disabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0252-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-1565-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-0817-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0820-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets." + } + ] + }, + { + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", + "parts": [ + { + "id": "control-1185-stmt", + "name": "statement", + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", + "id": "system_owners", + "title": "System owners", "controls": [ { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1071", + "title": "System ownership", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-1525", + "title": "Responsibilities", "parts": [ { - "id": "control-0434-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "System owners register each system with the system’s authorising officer." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-0027", + "title": "Responsibilities", "parts": [ { - "id": "control-0435-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1526", + "title": "Responsibilities", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "System owners monitor security risks and the effectiveness of security controls for each system." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1587", + "title": "Responsibilities", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-1583", - "title": "User identification", + "id": "control-0714", + "title": "Cyber security leadership", "parts": [ { - "id": "control-1583-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "A CISO is appointed to provide cyber security leadership for their organisation." } ] }, { - "id": "control-0975", - "title": "User identification", + "id": "control-1478", + "title": "Responsibilities", "parts": [ { - "id": "control-0975-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", + "groups": [ + { + "id": "data_transfers", + "title": "Data transfers", + "controls": [ { - "id": "control-0420", - "title": "User identification", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-0420-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-0405", - "title": "Standard access to systems", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-0405-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1503", - "title": "Standard access to systems", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1503-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1566", - "title": "Standard access to systems", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1566-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-0409", - "title": "Standard access to systems by foreign nationals", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-0409-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-0411", - "title": "Standard access to systems by foreign nationals", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-0411-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1507-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-0445-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-0448", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0448-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0430-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1591-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0407-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1610-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1611-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1613-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1614-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1615-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0854-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", - "groups": [ - { - "id": "authentication_hardening", - "title": "Authentication hardening", - "controls": [ + }, { - "id": "control-1546", - "title": "Authenticating to systems", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1546-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-0974", - "title": "Multi-factor authentication", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-0974-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate standard users." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1173-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all privileged users and any other positions of trust." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-1384", - "title": "Multi-factor authentication", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1384-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1504-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users of remote access solutions." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1505-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate all users when accessing important data repositories." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1560-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-1357-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-0417-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] - }, + } + ] + }, + { + "id": "ict_equipment_usage", + "title": "ICT equipment usage", + "controls": [ { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-0422-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-1596-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-1227", - "title": "Setting and resetting credentials", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1593-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1595-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1403-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-0431-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-0976-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1603", - "title": "Unsecure authentication methods", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1603-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-1055", - "title": "Unsecure authentication methods", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "LAN Manager is disabled for password/passphrase authentication." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-0418-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1597-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1590-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-0853-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user\n• completely conceals all information on the screen\n• ensures that the screen does not enter a power saving state before the screen or session lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-0979-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] - } - ] - }, - { - "id": "operating_system_hardening", - "title": "Operating system hardening", - "controls": [ + }, { - "id": "control-1406", - "title": "Standard Operating Environments", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1406-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "SOEs are used for workstations and servers." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1608-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1588-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1407", - "title": "Operating system versions", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "The latest version (N), or N-1 version, of an operating system is used for SOEs." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1408", - "title": "Operating system versions", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-0383-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are removed or disabled." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1584-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe)." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1592-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-0323", + "title": "Classifying media storing information", "parts": [ { - "id": "control-0382-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." } ] }, { - "id": "control-0843", - "title": "Application control", + "id": "control-0325", + "title": "Classifying media connected to systems", "parts": [ { - "id": "control-0843-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-0331", + "title": "Reclassifying media", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0331-stmt", "name": "statement", - "prose": "Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set." + "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1471-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "Media is sanitised before it is used with systems for the first time." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1392-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "Microsoft’s latest recommended block rules are implemented to prevent application control bypasses." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1414", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1414-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1492", - "title": "Enhanced Mitigation Experience Toolkit and exploit protection", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1492-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "If supported, Microsoft's exploit protection functionality is implemented on workstations and servers." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." } ] - }, + } + ] + }, + { + "id": "media_sanitisation", + "title": "Media sanitisation", + "controls": [ { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1417-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1418-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0345-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application selection", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1467-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1484", - "title": "Hardening application configurations", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1484-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "Web browsers are configured to block or disable support for Flash content." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Web browsers are configured to block web advertisements." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "Web browsers are configured to block Java from the internet." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1541", - "title": "Hardening application configurations", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1541-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Microsoft Office is configured to disable support for Flash content." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1542-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "The use of Microsoft Office, web browser and PDF viewer add-ons is restricted to organisation approved add-ons." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1585-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Standard users are prevented from bypassing, disabling or modifying security functionality of applications." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Microsoft Office macros in documents originating from the internet are blocked." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] }, { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1606-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "When using DSA for digital signatures, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-1607-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1462", - "title": "Functional separation between computing environments", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-1462-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification." + "prose": "When using ECDH for agreeing on encryption session keys, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-1461-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are controlled by the same organisation, are of the same classification and are within the same security domain." + "prose": "When using ECDSA for digital signatures, a field/key size of at least 160 bits, preferably 256 bits, is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0580-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 1024 bits, preferably 2048 bits, is used." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-1054", + "title": "Approved hashing algorithms", "parts": [ { - "id": "control-0988-stmt", + "id": "control-1054-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "A hashing algorithm from the SHA-2 family is used instead of SHA-1." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-0582-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "3DES is used with three distinct keys." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-1232", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1536-stmt", + "id": "control-1232-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-1468", + "title": "Protecting highly classified information", "parts": [ { - "id": "control-1537-stmt", + "id": "control-1468-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important information\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." } ] - }, + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ { - "id": "control-0585", - "title": "Events log details", + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0586", - "title": "Event log protection", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0586-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "PFS is used for TLS connections." } ] } ] }, { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", + "id": "cryptographic_system_management", + "title": "Cryptographic system management", "controls": [ { - "id": "control-0125", - "title": "Cyber security incident register", - "parts": [ - { - "id": "control-0125-stmt", - "name": "statement", - "prose": "A cyber security incident register is maintained with the following information:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." - } - ] - }, - { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "When a data spill occurs, information owners are advised and access to the information is restricted." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0917-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence." + "prose": "ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and the latest equipment-specific doctrine is complied with when using HACE." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the information the cryptographic equipment processes." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] } ] }, { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", "controls": [ { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-1161", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains sensitive information." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-0457", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-0120-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains classified information." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0460", + "title": "Reducing physical storage and handling requirements", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "HACE is used if an organisation wishes to reduce the physical storage or handling requirements for ICT equipment or media that contains highly classified information." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-0459", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-1083-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-0461", + "title": "Encrypting information at rest", "parts": [ { - "id": "control-0240-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-1080", + "title": "Encrypting particularly important information at rest", "parts": [ { - "id": "control-0866-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO information when at rest on a system." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-1145-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0871-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-1162", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0870-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-0465", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-1084-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0467", + "title": "Encrypting information in transit", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0469", + "title": "Encrypting particularly important information in transit", "parts": [ { - "id": "control-0702-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO information when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1298-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "Only AACPs are used by cryptographic equipment and software." + } + ] + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ + { + "id": "control-0494", + "title": "Mode of operation", + "parts": [ + { + "id": "control-0494-stmt", + "name": "statement", + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1555-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1300-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1556-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] - } - ] - }, - { - "id": "mobile_device_management", - "title": "Mobile device management", - "controls": [ + }, { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1533-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1195-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ + { + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", + "controls": [ { - "id": "control-0687", - "title": "Mobile device management policy", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1400-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0694-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or information." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1482-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." } ] - }, + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0432", + "title": "System access requirements", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0432-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-1196-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-0975", + "title": "User identification", "parts": [ { - "id": "control-0863-stmt", + "id": "control-0975-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "Personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL information, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0405", + "title": "Standard access to systems", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-1503", + "title": "Standard access to systems", "parts": [ { - "id": "control-1366-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1566", + "title": "Standard access to systems", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "The use of standard accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-0409", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0705-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL information unless effective security controls are in place to ensure such information is not accessible to them." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cable_labelling_and_registration", - "title": "Cable labelling and registration", - "controls": [ + }, { - "id": "control-0201", - "title": "Conduit label specifications", + "id": "control-0411", + "title": "Standard access to systems by foreign nationals", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at 5 m intervals and marked as ‘TS RUN’." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them." } ] }, { - "id": "control-0202", - "title": "Conduit label specifications", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0202-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "Conduit labels in areas where uncleared personnel could frequently visit have red text on a clear background." + "prose": "Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-0203", - "title": "Conduit label specifications", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0203-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Conduit labels in areas that are not clearly observable have red text on a white background." + "prose": "Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0204", - "title": "Installing conduit labelling", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0204-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "Conduit labels installed in public or visitor areas do not draw undue attention from people who do not have a need-to-know of the existence of such cables." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classification, cable identifiers and wall outlet box identifier." + "prose": "The use of privileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Technical security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-0448", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0206-stmt", + "id": "control-0448-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems, applications and data repositories." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0208-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "A cable register is maintained with the following information:\n• cable identifier\n• classification\n• source\n• destination\n• site/floor plan diagram\n• seal numbers (if applicable)." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL information." } ] }, { - "id": "control-0211", - "title": "Cable inspections", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "Cables are inspected for inconsistencies with the cable register at least annually." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information." } ] - } - ] - }, - { - "id": "cable_patching", - "title": "Cable patching", - "controls": [ + }, { - "id": "control-0213", - "title": "Terminations to patch panels", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0213-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Only approved cable groups terminate on a patch panel." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1093", - "title": "Patch cable and fly lead connectors", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1093-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, connectors for each system are different from those of other systems; unless the higher classified patch cables cannot bridge the distance between the higher classified patch panel and any patch panel of a lower classification." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-0214", - "title": "Patch cable and fly lead connectors", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-0214-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In areas containing cables for TOP SECRET systems and systems of lower classifications, the connectors for TOP SECRET systems are different from those of other systems." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1094", - "title": "Patch cable and fly lead connectors", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1094-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "In areas containing cables for systems of different classifications, the selection of connector types is documented." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-0216", - "title": "Physical separation of patch panels", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0216-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties." } ] }, { - "id": "control-0217", - "title": "Physical separation of patch panels", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0217-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five meters in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway and clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0246-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO information remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0250-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Access to AUSTEO or AGAO information from systems not under the sole control of the Australian Government is prevented." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ { - "id": "cable_management", - "title": "Cable management", + "id": "database_servers", + "title": "Database servers", "controls": [ { - "id": "control-0181", - "title": "Cable standards", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Cables are installed in accordance with the relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-0926-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-0825", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-0825-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "Cable colours for foreign systems installed in Australian facilities are not the same colour as those used for Australian systems." + "prose": "Information communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-0826", - "title": "Cable colours for foreign systems in Australian facilities", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-0826-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "Cable colours used for foreign systems are agreed between the host organisation and the foreign system’s owner." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1215", - "title": "Cable colour non-conformance", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1215-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cables with non-conformant cable colouring are banded with the appropriate colour at inspection points." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1216-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1112", - "title": "Inspecting cables", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1118", - "title": "Inspecting cables", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1119", - "title": "Inspecting cables", + "id": "control-1256", + "title": "Protecting database contents", "parts": [ { - "id": "control-1119-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-1126", - "title": "Inspecting cables", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-1126-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0184", - "title": "Inspecting cables", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Databases and their contents are classified based on the sensitivity or classification of information that they contain." } ] }, { - "id": "control-0187", - "title": "Cable groupings", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "The approved group combinations for cables in the following table are used (see source document for referenced table)." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for network infrastructure instead of copper cables." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-0189", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "With fibre-optic cables, the fibres in the sheath only carry a single group." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to a database user determining more sensitive or classified information, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-0190", - "title": "Fibre-optic cables sharing a common conduit", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-0190-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group." + "prose": "Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-1114", - "title": "Cables sharing a common reticulation system", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1114-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Approved cable groups sharing a common reticulation system have a dividing partition or a visible gap between the differing cable groups." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on reticulation systems." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0194-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1102-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "In TOP SECRET areas, reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets, or for small systems, one cabinet with a division plate to delineate classifications." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-1116", - "title": "Cabinet separation", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in a party wall." + "prose": "Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", + "groups": [ + { + "id": "firewalls", + "title": "Firewalls", + "controls": [ { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1104-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "Cable groups sharing a wall outlet box use fibre-optic cables and different connectors on opposite sides of the wall outlet for each group." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "TOP SECRET cables do not share a wall outlet box with cables of a lower classification." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1106", - "title": "Wall outlet boxes", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1106-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "The connectors for TOP SECRET systems are different from those of systems of lower classifications." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1107-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-1109-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0198-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", - "groups": [ - { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", - "controls": [ + }, { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0313-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-0311-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." } ] - }, + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0659", + "title": "Content filtering", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0659-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-0316-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0315-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "If disposing of high assurance ICT equipment or TEMPEST-rated ICT equipment, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-1218-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information is sanitised in situ." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO information that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-0317-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-1219-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-1220-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-0318-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-1534-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-1222-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by the ACSC\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-1225-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-1079-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0305-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0307-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0306-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that information is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the physical transfer and storage requirements for the sensitivity or classification of the ICT equipment." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-0944-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-1598-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] - } - ] - }, - { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", - "controls": [ + }, { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-1551-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-0293-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of information that it is approved for processing, storing or communicating." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0296-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-1599-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] } ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ + }, { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", + "id": "web_content_filters", + "title": "Web content filters", "controls": [ { - "id": "control-0336", - "title": "ICT equipment and media register", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "An ICT equipment and media register is maintained and regularly audited." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-0159", - "title": "ICT equipment and media register", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-0159-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "All ICT equipment and media are accounted for on a regular basis." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-0161-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] - } - ] - }, - { - "id": "wireless_devices_and_radio_frequency_transmitters", - "title": "Wireless devices and Radio Frequency transmitters", - "controls": [ + }, { - "id": "control-1543", - "title": "Radio Frequency devices", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-1543-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "An authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0225", - "title": "Radio Frequency devices", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0225-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "Unauthorised RF devices are not brought into SECRET and TOP SECRET areas." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0829", - "title": "Radio Frequency devices", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] }, { - "id": "control-1058", - "title": "Bluetooth and wireless keyboards", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-1058-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "Bluetooth and wireless keyboards are not used unless in an RF screened building." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0222", - "title": "Infrared keyboards", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0222-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "When using infrared keyboards, infrared ports are positioned to prevent line of sight and reflected communications travelling into an unsecured space." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0223", - "title": "Infrared keyboards", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0223-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with unprotected windows." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-0224", - "title": "Infrared keyboards", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0224-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "When using infrared keyboards, the following activities are prevented:\n• line of sight and reflected communications travelling into unsecured spaces\n• multiple infrared keyboards for different systems being used in the same area\n• other infrared devices being used in the same area\n• infrared keyboards operating in areas with windows that have not had a permanent method of blocking infrared transmissions applied to them." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0221", - "title": "Wireless RF pointing devices", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0221-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "Wireless RF pointing devices are not used in TOP SECRET areas unless used in an RF screened building." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] } ] }, { - "id": "facilities_and_systems", - "title": "Facilities and systems", + "id": "peripheral_switches", + "title": "Peripheral switches", "controls": [ { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0810-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1053-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1530-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO information and a system of the same classification that is not authorised to process the same caveat." + } + ] + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ + { + "id": "control-0628", + "title": "Gateway architecture and configuration", + "parts": [ + { + "id": "control-0628-stmt", + "name": "statement", + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0157-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0164-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0663-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-0665-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-0664-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-0675-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0657", - "title": "Import of data", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0657-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0658-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-1187-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "Once connectivity is established, system owners become information stakeholders for all connected security domains." } ] }, { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-1586-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-1294-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0660-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] } @@ -7887,861 +7926,822 @@ ] }, { - "id": "guidelines_for_media", - "title": "Guidelines for Media", + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", "groups": [ { - "id": "media_destruction", - "title": "Media destruction", + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", "controls": [ { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0363-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0350-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-1361-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0366-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0838-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0373-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0840-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0839-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] } ] }, { - "id": "media_usage", - "title": "Media usage", + "id": "telephone_systems", + "title": "Telephone systems", "controls": [ { - "id": "control-1549", - "title": "Media management policy", - "parts": [ - { - "id": "control-1549-stmt", - "name": "statement", - "prose": "A media management policy is developed and implemented." - } - ] - }, - { - "id": "control-1359", - "title": "Removable media usage policy", - "parts": [ - { - "id": "control-1359-stmt", - "name": "statement", - "prose": "A removable media usage policy is developed and implemented." - } - ] - }, - { - "id": "control-0323", - "title": "Classifying media storing information", - "parts": [ - { - "id": "control-0323-stmt", - "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of information stored on the media." - } - ] - }, - { - "id": "control-0325", - "title": "Classifying media connected to systems", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0325-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0331", - "title": "Reclassifying media", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0331-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0330-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0332-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "Media is sanitised before it is used with systems for the first time." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0337-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0341-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] }, { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0342-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "In SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "In TOP SECRET areas, push-to-talk handsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-1059", - "title": "Handling media", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-0347-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "If not using write-once media for transferring data manually between two systems belonging to different security domains, the media is sanitised between each data transfer." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-0374-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0351-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-0352-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0835-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1511", + "title": "Performing backups", "parts": [ { - "id": "control-0354-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "Backups of important information, software and configuration settings are performed at least daily." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1512", + "title": "Backup storage", "parts": [ { - "id": "control-1067-stmt", + "id": "control-1512-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "Backups are stored offline, or online but in a non-rewritable and non-erasable manner." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-1513", + "title": "Backup storage", "parts": [ { - "id": "control-0356-stmt", + "id": "control-1513-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "Backups are stored at a multiple geographically-dispersed locations." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-1514", + "title": "Retention periods for backups", "parts": [ { - "id": "control-0357-stmt", + "id": "control-1514-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Backups are stored for three months or greater." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0836-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-1516", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0358-stmt", + "id": "control-1516-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Partial restoration of backups is tested on a quarterly or more frequent basis." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-0360-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-1380", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "Privileged users use a dedicated administrator workstation when performing privileged tasks." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ + }, { - "id": "control-0714", - "title": "Cyber security leadership", + "id": "control-1382", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-0714-stmt", + "id": "control-1382-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership for their organisation." + "prose": "Privileged users are assigned an unprivileged administration account for authenticating to their dedicated administrator workstations." } ] }, { - "id": "control-1478", - "title": "Responsibilities", + "id": "control-1381", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "The CISO provides strategic-level guidance for their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership", + "id": "control-1383", + "title": "Separate administrator workstations", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-1525", - "title": "Responsibilities", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "System owners register each system with the system’s authorising officer." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] }, { - "id": "control-0027", - "title": "Responsibilities", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from the system’s authorising officer." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1526", - "title": "Responsibilities", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "System owners monitor security risks and the effectiveness of security controls for each system." + "prose": "All administrative actions are conducted through a jump server." } ] }, { - "id": "control-1587", - "title": "Responsibilities", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] } ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ + }, { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", + "id": "system_patching", + "title": "System patching", "controls": [ { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "High risk suppliers and service providers are not used." + "prose": "A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1144", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1144-stmt", "name": "statement", - "prose": "Outsourced information technology and cloud services are chosen from service providers that have made a commitment to secure practices and have a strong track record of maintaining the security of their systems and services." + "prose": "Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1395", - "title": "Cyber supply chain risk management", + "id": "control-0940", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-0940-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified information entrusted to them or their services." + "prose": "Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-1472", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-1472-stmt", "name": "statement", - "prose": "A shared responsibility model is created between service providers and organisations in order to articulate the security responsibilities of each party." + "prose": "Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-1494", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-1494-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1495", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1495-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1496", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1496-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0072-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements." + "prose": "High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1571-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of information and services is specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1451-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "Types of information and its ownership is documented in contractual arrangements." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s information and services are specified in contractual arrangements." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Information entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of information." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1073", - "title": "Access to systems and information by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and information are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] }, { - "id": "control-1576", - "title": "Access to systems and information by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or information are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions." } ] } diff --git a/ISM_catalog_profile/catalogs/ISM_September_2021/catalog.json b/ISM_catalog_profile/catalogs/ISM_September_2021/catalog.json index 6242b65..46e1848 100644 --- a/ISM_catalog_profile/catalogs/ISM_September_2021/catalog.json +++ b/ISM_catalog_profile/catalogs/ISM_September_2021/catalog.json @@ -1,565 +1,616 @@ { "catalog": { - "uuid": "508d18d3-5080-4627-9c1a-dc06018b4af1", + "uuid": "ee1c9474-cf01-474a-b83c-cee4b3aa620d", "metadata": { "title": "Australian Government Information Security manual", - "last-modified": "2021-11-04T01:20:09.815+00:00", + "last-modified": "2022-04-28T11:43:22.243007+10:00", "version": "September_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" }, "groups": [ { - "id": "guidelines_for_system_management", - "title": "Guidelines for System Management", + "id": "guidelines_for_system_monitoring", + "title": "Guidelines for System Monitoring", "groups": [ { - "id": "system_administration", - "title": "System administration", + "id": "event_logging_and_auditing", + "title": "Event logging and auditing", "controls": [ { - "id": "control-0042", - "title": "System administration process and procedures", + "id": "control-0580", + "title": "Event logging policy", "parts": [ { - "id": "control-0042-stmt", + "id": "control-0580-stmt", "name": "statement", - "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." + "prose": "An event logging policy is developed and implemented." } ] }, { - "id": "control-1380", - "title": "Separate privileged operating environments", + "id": "control-1405", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1380-stmt", + "id": "control-1405-stmt", "name": "statement", - "prose": "Privileged users use separate privileged and unprivileged operating environments." + "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." } ] }, { - "id": "control-1687", - "title": "Separate privileged operating environments", + "id": "control-0988", + "title": "Centralised logging facility", "parts": [ { - "id": "control-1687-stmt", + "id": "control-0988-stmt", "name": "statement", - "prose": "Privileged operating environments are not virtualised within unprivileged operating environments." + "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." } ] }, { - "id": "control-1688", - "title": "Separate privileged operating environments", + "id": "control-0584", + "title": "Events to be logged", "parts": [ { - "id": "control-1688-stmt", + "id": "control-0584-stmt", "name": "statement", - "prose": "Unprivileged accounts cannot logon to privileged operating environments." + "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." } ] }, { - "id": "control-1689", - "title": "Separate privileged operating environments", + "id": "control-0582", + "title": "Events to be logged", "parts": [ { - "id": "control-1689-stmt", + "id": "control-0582-stmt", "name": "statement", - "prose": "Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." + "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." } ] }, { - "id": "control-1381", - "title": "Separate privileged operating environments", + "id": "control-1536", + "title": "Events to be logged", "parts": [ { - "id": "control-1381-stmt", + "id": "control-1536-stmt", "name": "statement", - "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." + "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." } ] }, { - "id": "control-1383", - "title": "Separate privileged operating environments", + "id": "control-1537", + "title": "Events to be logged", "parts": [ { - "id": "control-1383-stmt", + "id": "control-1537-stmt", "name": "statement", - "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." + "prose": "The following events are logged for databases:\n• access to particularly important data\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." } ] }, { - "id": "control-1385", - "title": "Dedicated administration zones and communication restrictions", + "id": "control-0585", + "title": "Event log details", "parts": [ { - "id": "control-1385-stmt", + "id": "control-0585-stmt", "name": "statement", - "prose": "Administrator workstations are placed into a separate network zone to user workstations." + "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." } ] }, { - "id": "control-1386", - "title": "Restriction of management traffic flows", + "id": "control-0586", + "title": "Event log protection", "parts": [ { - "id": "control-1386-stmt", + "id": "control-0586-stmt", "name": "statement", - "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." + "prose": "Event logs are protected from unauthorised access, modification and deletion." } ] }, { - "id": "control-1387", - "title": "Jump servers", + "id": "control-0859", + "title": "Event log retention", "parts": [ { - "id": "control-1387-stmt", + "id": "control-0859-stmt", "name": "statement", - "prose": "Administrative activities are conducted through jump servers." + "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." } ] }, { - "id": "control-1388", - "title": "Jump servers", + "id": "control-0991", + "title": "Event log retention", "parts": [ { - "id": "control-1388-stmt", + "id": "control-0991-stmt", "name": "statement", - "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." + "prose": "DNS and proxy logs are retained for at least 18 months." } ] - } - ] - }, - { - "id": "change_management", - "title": "Change management", - "controls": [ + }, { - "id": "control-1211", - "title": "Change management process and procedures", + "id": "control-0109", + "title": "Event log auditing process and procedures", "parts": [ { - "id": "control-1211-stmt", + "id": "control-0109-stmt", "name": "statement", - "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." + "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + } + ] + }, + { + "id": "control-1228", + "title": "Event log auditing process and procedures", + "parts": [ + { + "id": "control-1228-stmt", + "name": "statement", + "prose": "Events are correlated across event logs to prioritise audits and focus investigations." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_email", + "title": "Guidelines for Email", + "groups": [ { - "id": "system_patching", - "title": "System patching", + "id": "email_gateways_and_servers", + "title": "Email gateways and servers", "controls": [ { - "id": "control-1143", - "title": "Patch management process and procedures", + "id": "control-0569", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1143-stmt", + "id": "control-0569-stmt", "name": "statement", - "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." + "prose": "Email is routed through a centralised email gateway." } ] }, { - "id": "control-1493", - "title": "Patch management process and procedures", + "id": "control-0571", + "title": "Centralised email gateways", "parts": [ { - "id": "control-1493-stmt", + "id": "control-0571-stmt", "name": "statement", - "prose": "Software registers are maintained and regularly audited for workstations, servers, mobile devices, network devices and all other ICT equipment." + "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." } ] }, { - "id": "control-1643", - "title": "Patch management process and procedures", + "id": "control-0570", + "title": "Email gateway maintenance activities", "parts": [ { - "id": "control-1643-stmt", + "id": "control-0570-stmt", "name": "statement", - "prose": "Software registers contain versions and patch histories of applications, drivers, operating systems and firmware." + "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." } ] }, { - "id": "control-1690", - "title": "When to patch security vulnerabilities", + "id": "control-0567", + "title": "Open relay email servers", "parts": [ { - "id": "control-1690-stmt", + "id": "control-0567-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + "prose": "Email servers only relay emails destined for or originating from their domains." } ] }, { - "id": "control-1691", - "title": "When to patch security vulnerabilities", + "id": "control-0572", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1691-stmt", + "id": "control-0572-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release." + "prose": "Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." } ] }, { - "id": "control-1692", - "title": "When to patch security vulnerabilities", + "id": "control-1589", + "title": "Email server transport encryption", "parts": [ { - "id": "control-1692-stmt", + "id": "control-1589-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists." + "prose": "MTA-STS is enabled to prevent the transfer of unencrypted emails between complying servers." } ] }, { - "id": "control-1693", - "title": "When to patch security vulnerabilities", + "id": "control-0574", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1693-stmt", + "id": "control-0574-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month." + "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." } ] }, { - "id": "control-1694", - "title": "When to patch security vulnerabilities", + "id": "control-1183", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1694-stmt", + "id": "control-1183-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + "prose": "A hard fail SPF record is used when specifying email servers." } ] }, { - "id": "control-1695", - "title": "When to patch security vulnerabilities", + "id": "control-1151", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1695-stmt", + "id": "control-1151-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release." + "prose": "SPF is used to verify the authenticity of incoming emails." } ] }, { - "id": "control-1696", - "title": "When to patch security vulnerabilities", + "id": "control-1152", + "title": "Sender Policy Framework", "parts": [ { - "id": "control-1696-stmt", + "id": "control-1152-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists." + "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." } ] }, { - "id": "control-1697", - "title": "When to patch security vulnerabilities", + "id": "control-0861", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-1697-stmt", + "id": "control-0861-stmt", "name": "statement", - "prose": "Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists." + "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." } ] }, { - "id": "control-0300", - "title": "When to patch security vulnerabilities", + "id": "control-1026", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0300-stmt", + "id": "control-1026-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only patched or updated when approved by the ACSC using methods and timeframes prescribed by the ACSC." + "prose": "DKIM signatures on received emails are verified." } ] }, { - "id": "control-0298", - "title": "How to patch security vulnerabilities", + "id": "control-1027", + "title": "DomainKeys Identified Mail", "parts": [ { - "id": "control-0298-stmt", + "id": "control-1027-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update applications and drivers." + "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." } ] }, { - "id": "control-0303", - "title": "How to patch security vulnerabilities", + "id": "control-1540", + "title": "Domain-based Message Authentication, Reporting and Conformance", "parts": [ { - "id": "control-0303-stmt", + "id": "control-1540-stmt", "name": "statement", - "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." } ] }, { - "id": "control-1497", - "title": "How to patch security vulnerabilities", + "id": "control-1234", + "title": "Email content filtering", "parts": [ { - "id": "control-1497-stmt", + "id": "control-1234-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." + "prose": "Email content filtering controls are implemented for email bodies and attachments." } ] }, { - "id": "control-1498", - "title": "How to patch security vulnerabilities", + "id": "control-1502", + "title": "Blocking suspicious emails", "parts": [ { - "id": "control-1498-stmt", + "id": "control-1502-stmt", "name": "statement", - "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." + "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." } ] }, { - "id": "control-1499", - "title": "How to patch security vulnerabilities", + "id": "control-1024", + "title": "Undeliverable messages", "parts": [ { - "id": "control-1499-stmt", + "id": "control-1024-stmt", "name": "statement", - "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." + "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." } ] - }, + } + ] + }, + { + "id": "email_usage", + "title": "Email usage", + "controls": [ { - "id": "control-1500", - "title": "How to patch security vulnerabilities", + "id": "control-0264", + "title": "Email usage policy", "parts": [ { - "id": "control-1500-stmt", + "id": "control-0264-stmt", "name": "statement", - "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." + "prose": "An email usage policy is developed and implemented." } ] }, { - "id": "control-1698", - "title": "Scanning for missing patches", + "id": "control-0267", + "title": "Webmail services", "parts": [ { - "id": "control-1698-stmt", + "id": "control-0267-stmt", "name": "statement", - "prose": "A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services." + "prose": "Access to non-approved webmail services is blocked." } ] }, { - "id": "control-1699", - "title": "Scanning for missing patches", + "id": "control-0270", + "title": "Protective markings for emails", "parts": [ { - "id": "control-1699-stmt", + "id": "control-0270-stmt", "name": "statement", - "prose": "A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products." + "prose": "Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments." } ] }, { - "id": "control-1700", - "title": "Scanning for missing patches", + "id": "control-0271", + "title": "Protective marking tools", "parts": [ { - "id": "control-1700-stmt", + "id": "control-0271-stmt", "name": "statement", - "prose": "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications." + "prose": "Protective marking tools do not automatically insert protective markings into emails." } ] }, { - "id": "control-1701", - "title": "Scanning for missing patches", + "id": "control-0272", + "title": "Protective marking tools", "parts": [ { - "id": "control-1701-stmt", + "id": "control-0272-stmt", "name": "statement", - "prose": "A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services." + "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." } ] }, { - "id": "control-1702", - "title": "Scanning for missing patches", + "id": "control-1089", + "title": "Protective marking tools", "parts": [ { - "id": "control-1702-stmt", + "id": "control-1089-stmt", "name": "statement", - "prose": "A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices." + "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." } ] }, { - "id": "control-1703", - "title": "Scanning for missing patches", + "id": "control-0565", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1703-stmt", + "id": "control-0565-stmt", "name": "statement", - "prose": "A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in drivers and firmware." + "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." } ] }, { - "id": "control-1704", - "title": "Cessation of support", + "id": "control-1023", + "title": "Handling emails with inappropriate, invalid or missing protective markings", "parts": [ { - "id": "control-1704-stmt", + "id": "control-1023-stmt", "name": "statement", - "prose": "Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed." + "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." } ] }, { - "id": "control-0304", - "title": "Cessation of support", + "id": "control-0269", + "title": "Email distribution lists", "parts": [ { - "id": "control-0304-stmt", + "id": "control-0269-stmt", "name": "statement", - "prose": "Applications that are no longer supported by vendors are removed." + "prose": "Emails containing AUSTEO, AGAO or REL data are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_physical_security", + "title": "Guidelines for Physical Security", + "groups": [ + { + "id": "ict_equipment_and_media", + "title": "ICT equipment and media", + "controls": [ { - "id": "control-1501", - "title": "Cessation of support", + "id": "control-0161", + "title": "Securing ICT equipment and media", "parts": [ { - "id": "control-1501-stmt", + "id": "control-0161-stmt", "name": "statement", - "prose": "Operating systems that are no longer supported by vendors are replaced." + "prose": "ICT equipment and media are secured when not in use." } ] } ] }, { - "id": "data_backup_and_restoration", - "title": "Data backup and restoration", + "id": "facilities_and_systems", + "title": "Facilities and systems", "controls": [ { - "id": "control-1510", - "title": "Digital preservation policy", + "id": "control-0810", + "title": "Facilities containing systems", "parts": [ { - "id": "control-1510-stmt", + "id": "control-0810-stmt", "name": "statement", - "prose": "A digital preservation policy is developed and implemented." + "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." } ] }, { - "id": "control-1547", - "title": "Data backup and restoration processes and procedures", + "id": "control-1053", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1547-stmt", + "id": "control-1053-stmt", "name": "statement", - "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." + "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." } ] }, { - "id": "control-1548", - "title": "Data backup and restoration processes and procedures", + "id": "control-1530", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1548-stmt", + "id": "control-1530-stmt", "name": "statement", - "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." + "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." } ] }, { - "id": "control-1511", - "title": "Performing and retaining backups", + "id": "control-0813", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1511-stmt", + "id": "control-0813-stmt", "name": "statement", - "prose": "Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements." + "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." } ] }, { - "id": "control-1705", - "title": "Backup access and modification", + "id": "control-1074", + "title": "Server rooms, communications rooms and security containers", "parts": [ { - "id": "control-1705-stmt", + "id": "control-1074-stmt", "name": "statement", - "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators) cannot access other account’s backups." + "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." } ] }, { - "id": "control-1706", - "title": "Backup access and modification", + "id": "control-0157", + "title": "Network infrastructure", "parts": [ { - "id": "control-1706-stmt", + "id": "control-0157-stmt", "name": "statement", - "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators) can’t access their own account’s backups." + "prose": "Data communicated over network infrastructure in areas not authorised for the processing of such data is encrypted as if it was communicated through unsecured spaces." } ] }, { - "id": "control-1707", - "title": "Backup access and modification", + "id": "control-1296", + "title": "Controlling physical access to network devices", "parts": [ { - "id": "control-1707-stmt", + "id": "control-1296-stmt", "name": "statement", - "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups." + "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." } ] }, { - "id": "control-1708", - "title": "Backup access and modification", + "id": "control-1543", + "title": "Bringing Radio Frequency and infrared devices into facilities", "parts": [ { - "id": "control-1708-stmt", + "id": "control-1543-stmt", "name": "statement", - "prose": "Backup administrators (excluding backup break glass accounts), are prevented from modifying or deleting backups." + "prose": "An authorised RF and IR device register is maintained and regularly audited for SECRET and TOP SECRET areas." } ] }, { - "id": "control-1515", - "title": "Testing restoration of backups", + "id": "control-0225", + "title": "Bringing Radio Frequency and infrared devices into facilities", "parts": [ { - "id": "control-1515-stmt", + "id": "control-0225-stmt", "name": "statement", - "prose": "Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises." + "prose": "Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas." + } + ] + }, + { + "id": "control-0829", + "title": "Bringing Radio Frequency and infrared devices into facilities", + "parts": [ + { + "id": "control-0829-stmt", + "name": "statement", + "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + } + ] + }, + { + "id": "control-0164", + "title": "Preventing observation by unauthorised people", + "parts": [ + { + "id": "control-0164-stmt", + "name": "statement", + "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." } ] } @@ -568,4316 +619,4193 @@ ] }, { - "id": "guidelines_for_gateways", - "title": "Guidelines for Gateways", + "id": "guidelines_for_enterprise_mobility", + "title": "Guidelines for Enterprise Mobility", "groups": [ { - "id": "firewalls", - "title": "Firewalls", + "id": "mobile_device_management", + "title": "Mobile device management", "controls": [ { - "id": "control-1528", - "title": "Using firewalls", + "id": "control-1533", + "title": "Mobile device management policy", "parts": [ { - "id": "control-1528-stmt", + "id": "control-1533-stmt", "name": "statement", - "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." + "prose": "A mobile device management policy is developed and implemented." } ] }, { - "id": "control-0639", - "title": "Using firewalls", + "id": "control-1195", + "title": "Mobile device management policy", "parts": [ { - "id": "control-0639-stmt", + "id": "control-1195-stmt", "name": "statement", - "prose": "An evaluated firewall is used between networks belonging to different security domains." + "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." } ] }, { - "id": "control-1194", - "title": "Using firewalls", + "id": "control-0687", + "title": "Approval for use", "parts": [ { - "id": "control-1194-stmt", + "id": "control-0687-stmt", "name": "statement", - "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." + "prose": "Mobile devices do not process, store or communicate highly classified data until approved for use by the ACSC." } ] }, { - "id": "control-0641", - "title": "Firewalls for particularly important networks", + "id": "control-1400", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-0641-stmt", + "id": "control-1400-stmt", "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." + "prose": "Personnel accessing official or classified systems or data using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified data from any personal data." } ] }, { - "id": "control-0642", - "title": "Firewalls for particularly important networks", - "parts": [ - { - "id": "control-0642-stmt", - "name": "statement", - "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." - } - ] - } - ] - }, - { - "id": "gateways", - "title": "Gateways", - "controls": [ - { - "id": "control-0628", - "title": "Gateway architecture and configuration", - "parts": [ - { - "id": "control-0628-stmt", - "name": "statement", - "prose": "All systems are protected from systems in other security domains by one or more gateways." - } - ] - }, - { - "id": "control-1192", - "title": "Gateway architecture and configuration", + "id": "control-0694", + "title": "Privately-owned mobile devices", "parts": [ { - "id": "control-1192-stmt", + "id": "control-0694-stmt", "name": "statement", - "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." + "prose": "Privately-owned mobile devices do not access highly classified systems or data." } ] }, { - "id": "control-0631", - "title": "Gateway architecture and configuration", + "id": "control-1297", + "title": "Seeking legal advice for privately-owned mobile devices", "parts": [ { - "id": "control-0631-stmt", + "id": "control-1297-stmt", "name": "statement", - "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." + "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or data." } ] }, { - "id": "control-1427", - "title": "Gateway architecture and configuration", + "id": "control-1482", + "title": "Organisation-owned mobile devices", "parts": [ { - "id": "control-1427-stmt", + "id": "control-1482-stmt", "name": "statement", - "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." + "prose": "Personnel accessing official or classified systems or data using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." } ] }, { - "id": "control-0634", - "title": "Gateway operation", + "id": "control-0869", + "title": "Mobile device storage encryption", "parts": [ { - "id": "control-0634-stmt", + "id": "control-0869-stmt", "name": "statement", - "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." + "prose": "All data on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-0637", - "title": "Demilitarised zones", + "id": "control-1085", + "title": "Mobile device communications encryption", "parts": [ { - "id": "control-0637-stmt", + "id": "control-1085-stmt", "name": "statement", - "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." + "prose": "Mobile devices used to communicate sensitive or classified data over public network infrastructure use encryption approved for communicating such data over public network infrastructure." } ] }, { - "id": "control-1037", - "title": "Gateway testing", + "id": "control-1202", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-1037-stmt", + "id": "control-1202-stmt", "name": "statement", - "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." + "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." } ] }, { - "id": "control-0611", - "title": "Gateway administration", + "id": "control-0682", + "title": "Mobile device Bluetooth functionality", "parts": [ { - "id": "control-0611-stmt", + "id": "control-0682-stmt", "name": "statement", - "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." + "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." } ] }, { - "id": "control-0612", - "title": "Gateway administration", + "id": "control-1196", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0612-stmt", + "id": "control-1196-stmt", "name": "statement", - "prose": "System administrators are formally trained to manage gateways." + "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." } ] }, { - "id": "control-1520", - "title": "Gateway administration", + "id": "control-1200", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-1520-stmt", + "id": "control-1200-stmt", "name": "statement", - "prose": "All system administrators of gateways are cleared to access the highest level of data communicated or processed by the gateway." + "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." } ] }, { - "id": "control-0613", - "title": "Gateway administration", + "id": "control-1198", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0613-stmt", + "id": "control-1198-stmt", "name": "statement", - "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) data are Australian nationals." + "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." } ] }, { - "id": "control-0616", - "title": "Gateway administration", + "id": "control-1199", + "title": "Mobile device Bluetooth pairing", "parts": [ { - "id": "control-0616-stmt", + "id": "control-1199-stmt", "name": "statement", - "prose": "Roles for the administration of gateways are separated." + "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." } ] }, { - "id": "control-0629", - "title": "Gateway administration", + "id": "control-0863", + "title": "Configuration control", "parts": [ { - "id": "control-0629-stmt", + "id": "control-0863-stmt", "name": "statement", - "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." + "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." } ] }, { - "id": "control-0607", - "title": "Shared ownership of gateways", + "id": "control-0864", + "title": "Configuration control", "parts": [ { - "id": "control-0607-stmt", + "id": "control-0864-stmt", "name": "statement", - "prose": "Once connectivity is established, system owners become stakeholders for all connected security domains." + "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." } ] }, { - "id": "control-0619", - "title": "Gateway authentication", + "id": "control-1365", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0619-stmt", + "id": "control-1365-stmt", "name": "statement", - "prose": "Users and services accessing networks through gateways are authenticated." + "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." } ] }, { - "id": "control-0620", - "title": "Gateway authentication", + "id": "control-1366", + "title": "Maintaining mobile device security", "parts": [ { - "id": "control-0620-stmt", + "id": "control-1366-stmt", "name": "statement", - "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." + "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." } ] }, { - "id": "control-1039", - "title": "Gateway authentication", + "id": "control-0874", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-1039-stmt", + "id": "control-0874-stmt", "name": "statement", - "prose": "Multi-factor authentication is used for access to gateways." + "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." } ] }, { - "id": "control-0622", - "title": "ICT equipment authentication", + "id": "control-0705", + "title": "Connecting mobile devices to the internet", "parts": [ { - "id": "control-0622-stmt", + "id": "control-0705-stmt", "name": "statement", - "prose": "ICT equipment accessing networks through gateways is authenticated." + "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." } ] } ] }, { - "id": "diodes", - "title": "Diodes", + "id": "mobile_device_usage", + "title": "Mobile device usage", "controls": [ { - "id": "control-0643", - "title": "Using diodes", + "id": "control-1082", + "title": "Mobile device usage policy", "parts": [ { - "id": "control-0643-stmt", + "id": "control-1082-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." + "prose": "A mobile device usage policy is developed and implemented." } ] }, { - "id": "control-0645", - "title": "Using diodes", + "id": "control-1083", + "title": "Personnel awareness", "parts": [ { - "id": "control-0645-stmt", + "id": "control-1083-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." + "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." } ] }, { - "id": "control-1157", - "title": "Using diodes", + "id": "control-0240", + "title": "Paging and message services", "parts": [ { - "id": "control-1157-stmt", + "id": "control-0240-stmt", "name": "statement", - "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." + "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified data." } ] }, { - "id": "control-1158", - "title": "Using diodes", + "id": "control-0866", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-1158-stmt", + "id": "control-0866-stmt", "name": "statement", - "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." + "prose": "Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed." } ] }, { - "id": "control-0646", - "title": "Diodes for particularly important networks", + "id": "control-1145", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0646-stmt", + "id": "control-1145-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." + "prose": "Privacy filters are applied to the screens of highly classified mobile devices." } ] }, { - "id": "control-0647", - "title": "Diodes for particularly important networks", + "id": "control-1644", + "title": "Using mobile devices in public spaces", "parts": [ { - "id": "control-0647-stmt", + "id": "control-1644-stmt", "name": "statement", - "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." + "prose": "Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard." } ] }, { - "id": "control-0648", - "title": "Volume checking", + "id": "control-0871", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0648-stmt", + "id": "control-0871-stmt", "name": "statement", - "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + "prose": "Mobile devices are kept under continual direct supervision when being actively used." } ] - } - ] - }, - { - "id": "content_filtering", - "title": "Content filtering", - "controls": [ + }, { - "id": "control-0659", - "title": "Content filtering", + "id": "control-0870", + "title": "Maintaining control of mobile devices", "parts": [ { - "id": "control-0659-stmt", + "id": "control-0870-stmt", "name": "statement", - "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." + "prose": "Mobile devices are carried or stored in a secured state when not being actively used." } ] }, { - "id": "control-1524", - "title": "Content filtering", + "id": "control-1084", + "title": "Carrying mobile devices", "parts": [ { - "id": "control-1524-stmt", + "id": "control-1084-stmt", "name": "statement", - "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." + "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the data stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." } ] }, { - "id": "control-0651", - "title": "Active, malicious and suspicious content", + "id": "control-0701", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0651-stmt", + "id": "control-0701-stmt", "name": "statement", - "prose": "All suspicious, malicious and active content is blocked from entering a security domain." + "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0652", - "title": "Active, malicious and suspicious content", + "id": "control-0702", + "title": "Mobile device emergency sanitisation process and procedures", "parts": [ { - "id": "control-0652-stmt", + "id": "control-0702-stmt", "name": "statement", - "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." + "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." } ] }, { - "id": "control-1389", - "title": "Automated dynamic analysis", + "id": "control-1298", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1389-stmt", + "id": "control-1298-stmt", "name": "statement", - "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." + "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." } ] }, { - "id": "control-1284", - "title": "Content validation", + "id": "control-1554", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1284-stmt", + "id": "control-1554-stmt", "name": "statement", - "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." + "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." } ] }, { - "id": "control-1286", - "title": "Content conversion and transformation", + "id": "control-1555", + "title": "Before travelling overseas with mobile devices", "parts": [ { - "id": "control-1286-stmt", + "id": "control-1555-stmt", "name": "statement", - "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." + "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." } ] }, { - "id": "control-1287", - "title": "Content sanitisation", + "id": "control-1299", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1287-stmt", + "id": "control-1299-stmt", "name": "statement", - "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." + "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." } ] }, { - "id": "control-1288", - "title": "Antivirus scanning", + "id": "control-1088", + "title": "While travelling overseas with mobile devices", "parts": [ { - "id": "control-1288-stmt", + "id": "control-1088-stmt", "name": "statement", - "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." + "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." } ] }, { - "id": "control-1289", - "title": "Archive and container files", + "id": "control-1300", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1289-stmt", + "id": "control-1300-stmt", "name": "statement", - "prose": "The contents from archive/container files are extracted and subjected to content filter checks." + "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." } ] }, { - "id": "control-1290", - "title": "Archive and container files", + "id": "control-1556", + "title": "After travelling overseas with mobile devices", "parts": [ { - "id": "control-1290-stmt", + "id": "control-1556-stmt", "name": "statement", - "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." + "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_evaluated_products", + "title": "Guidelines for Evaluated Products", + "groups": [ + { + "id": "evaluated_product_acquisition", + "title": "Evaluated product acquisition", + "controls": [ { - "id": "control-1291", - "title": "Archive and container files", + "id": "control-0280", + "title": "Evaluated product selection", "parts": [ { - "id": "control-1291-stmt", + "id": "control-0280-stmt", "name": "statement", - "prose": "Files that cannot be inspected are blocked and generate an alert or notification." + "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." } ] }, { - "id": "control-0649", - "title": "Allowing access to specific content types", + "id": "control-0285", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-0649-stmt", + "id": "control-0285-stmt", "name": "statement", - "prose": "A list of allowed content types is implemented." + "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." } ] }, { - "id": "control-1292", - "title": "Data integrity", + "id": "control-0286", + "title": "Delivery of evaluated products", "parts": [ { - "id": "control-1292-stmt", + "id": "control-0286-stmt", "name": "statement", - "prose": "The integrity of content is verified where applicable and blocked if verification fails." + "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." } ] - }, + } + ] + }, + { + "id": "evaluated_product_usage", + "title": "Evaluated product usage", + "controls": [ { - "id": "control-0677", - "title": "Data integrity", + "id": "control-0289", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0677-stmt", + "id": "control-0289-stmt", "name": "statement", - "prose": "If data is signed, the signature is validated before the data is exported." + "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." } ] }, { - "id": "control-1293", - "title": "Encrypted data", - "parts": [ - { - "id": "control-1293-stmt", - "name": "statement", - "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." - } - ] - } - ] - }, - { - "id": "cross_domain_solutions", - "title": "Cross Domain Solutions", - "controls": [ - { - "id": "control-0626", - "title": "When to implement a Cross Domain Solution", + "id": "control-0290", + "title": "Installation and configuration of evaluated products", "parts": [ { - "id": "control-0626-stmt", + "id": "control-0290-stmt", "name": "statement", - "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." + "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." } ] }, { - "id": "control-0597", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0292", + "title": "Use of high assurance ICT equipment in unevaluated configurations", "parts": [ { - "id": "control-0597-stmt", + "id": "control-0292-stmt", "name": "statement", - "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." + "prose": "High assurance ICT equipment is only operated in an evaluated configuration." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_infrastructure", + "title": "Guidelines for Communications Infrastructure", + "groups": [ + { + "id": "emanation_security", + "title": "Emanation security", + "controls": [ { - "id": "control-0627", - "title": "Consultation when implementing or modifying a Cross Domain Solution", + "id": "control-0247", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0627-stmt", + "id": "control-0247-stmt", "name": "statement", - "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." + "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-0635", - "title": "Separation of data flows", + "id": "control-0248", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-0635-stmt", + "id": "control-0248-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." + "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1521", - "title": "Separation of data flows", + "id": "control-1137", + "title": "Emanation security threat assessments in Australia", "parts": [ { - "id": "control-1521-stmt", + "id": "control-1137-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." + "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1522", - "title": "Separation of data flows", + "id": "control-0932", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-1522-stmt", + "id": "control-0932-stmt", "name": "statement", - "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." + "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." } ] }, { - "id": "control-0670", - "title": "Event logging", + "id": "control-0249", + "title": "Emanation security threat assessments outside Australia", "parts": [ { - "id": "control-0670-stmt", + "id": "control-0249-stmt", "name": "statement", - "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." + "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." } ] }, { - "id": "control-1523", - "title": "Event logging", + "id": "control-0246", + "title": "Early identification of emanation security issues", "parts": [ { - "id": "control-1523-stmt", + "id": "control-0246-stmt", "name": "statement", - "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." + "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." } ] }, { - "id": "control-0610", - "title": "User training", + "id": "control-0250", + "title": "Industry and government standards", "parts": [ { - "id": "control-0610-stmt", + "id": "control-0250-stmt", "name": "statement", - "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." + "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." } ] } ] }, { - "id": "web_content_filters", - "title": "Web content filters", + "id": "cabling_infrastructure", + "title": "Cabling infrastructure", "controls": [ { - "id": "control-0963", - "title": "Using web content filters", + "id": "control-0181", + "title": "Cabling infrastructure standards", "parts": [ { - "id": "control-0963-stmt", + "id": "control-0181-stmt", "name": "statement", - "prose": "A web content filter is used to filter potentially harmful web-based content." + "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." } ] }, { - "id": "control-0961", - "title": "Using web content filters", + "id": "control-1111", + "title": "Use of fibre-optic cables", "parts": [ { - "id": "control-0961-stmt", + "id": "control-1111-stmt", "name": "statement", - "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." + "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." } ] }, { - "id": "control-1237", - "title": "Using web content filters", + "id": "control-0211", + "title": "Cable register", "parts": [ { - "id": "control-1237-stmt", + "id": "control-0211-stmt", "name": "statement", - "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." + "prose": "A cable register is maintained and regularly audited." } ] }, { - "id": "control-0263", - "title": "Transport Layer Security filtering", + "id": "control-0208", + "title": "Cable register", "parts": [ { - "id": "control-0263-stmt", + "id": "control-0208-stmt", "name": "statement", - "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." + "prose": "A cable register contains the following for each cable:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• location\n• seal numbers (if applicable)." } ] }, { - "id": "control-0996", - "title": "Inspection of Transport Layer Security traffic", + "id": "control-1645", + "title": "Floor plan diagrams", "parts": [ { - "id": "control-0996-stmt", + "id": "control-1645-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." + "prose": "Floor plan diagrams are maintained and regularly audited." } ] }, { - "id": "control-0958", - "title": "Allowing access to specific websites", + "id": "control-1646", + "title": "Floor plan diagrams", "parts": [ { - "id": "control-0958-stmt", + "id": "control-1646-stmt", "name": "statement", - "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." + "prose": "Floor plan diagrams contain the following:\n• cable paths (including ingress and egress points between floors)\n• cable reticulation system and conduit paths\n• floor concentration boxes\n• wall outlet boxes\n• network cabinets." } ] }, { - "id": "control-1170", - "title": "Allowing access to specific websites", + "id": "control-0206", + "title": "Cable labelling process and procedures", "parts": [ { - "id": "control-1170-stmt", + "id": "control-0206-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." + "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." } ] }, { - "id": "control-0959", - "title": "Blocking access to specific websites", + "id": "control-1096", + "title": "Labelling cables", "parts": [ { - "id": "control-0959-stmt", + "id": "control-1096-stmt", "name": "statement", - "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." + "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." } ] }, { - "id": "control-0960", - "title": "Blocking access to specific websites", + "id": "control-1639", + "title": "Labelling building management cables", "parts": [ { - "id": "control-0960-stmt", + "id": "control-1639-stmt", "name": "statement", - "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." + "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." } ] }, { - "id": "control-1171", - "title": "Blocking access to specific websites", + "id": "control-1640", + "title": "Labelling cables for foreign systems in Australian facilities", "parts": [ { - "id": "control-1171-stmt", + "id": "control-1640-stmt", "name": "statement", - "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." + "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." } ] }, { - "id": "control-1236", - "title": "Blocking access to specific websites", - "parts": [ - { - "id": "control-1236-stmt", - "name": "statement", - "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." - } - ] - } - ] - }, - { - "id": "web_proxies", - "title": "Web proxies", - "controls": [ - { - "id": "control-0258", - "title": "Web usage policy", + "id": "control-0926", + "title": "Cable colours", "parts": [ { - "id": "control-0258-stmt", + "id": "control-0926-stmt", "name": "statement", - "prose": "A web usage policy is developed and implemented." + "prose": "The cable colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-0260", - "title": "Using web proxies", + "id": "control-1216", + "title": "Cable colour non-conformance", "parts": [ { - "id": "control-0260-stmt", + "id": "control-1216-stmt", "name": "statement", - "prose": "All web access, including that by internal servers, is conducted through a web proxy." + "prose": "Cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." } ] }, { - "id": "control-0261", - "title": "Web proxy authentication and logging", + "id": "control-1112", + "title": "Cable inspectability", "parts": [ { - "id": "control-0261-stmt", + "id": "control-1112-stmt", "name": "statement", - "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." + "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] - } - ] - }, - { - "id": "peripheral_switches", - "title": "Peripheral switches", - "controls": [ + }, { - "id": "control-0591", - "title": "Using peripheral switches", + "id": "control-1118", + "title": "Cable inspectability", "parts": [ { - "id": "control-0591-stmt", + "id": "control-1118-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." + "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-1480", - "title": "Using peripheral switches", + "id": "control-1119", + "title": "Cable inspectability", "parts": [ { - "id": "control-1480-stmt", + "id": "control-1119-stmt", "name": "statement", - "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." + "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-1457", - "title": "Using peripheral switches", + "id": "control-1126", + "title": "Cable inspectability", "parts": [ { - "id": "control-1457-stmt", + "id": "control-1126-stmt", "name": "statement", - "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." + "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." } ] }, { - "id": "control-0593", - "title": "Using peripheral switches", + "id": "control-0184", + "title": "Cable inspectability", "parts": [ { - "id": "control-0593-stmt", + "id": "control-0184-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." + "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." } ] }, { - "id": "control-0594", - "title": "Peripheral switches for particularly important systems", + "id": "control-0187", + "title": "Common cable reticulation systems and conduits", "parts": [ { - "id": "control-0594-stmt", + "id": "control-0187-stmt", "name": "statement", - "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO data and a system of the same classification that is not authorised to process the same caveat." + "prose": "The cable groups in the following table are used (see source document for referenced table)." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_evaluated_products", - "title": "Guidelines for Evaluated Products", - "groups": [ - { - "id": "evaluated_product_acquisition", - "title": "Evaluated product acquisition", - "controls": [ + }, { - "id": "control-0280", - "title": "Evaluated product selection", + "id": "control-0189", + "title": "Common cable reticulation systems and conduits", "parts": [ { - "id": "control-0280-stmt", + "id": "control-0189-stmt", "name": "statement", - "prose": "If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation." + "prose": "Cables only carry a single cable group, unless each cable group belongs to a different subunit." } ] }, { - "id": "control-0285", - "title": "Delivery of evaluated products", + "id": "control-1114", + "title": "Common cable reticulation systems and conduits", "parts": [ { - "id": "control-0285-stmt", + "id": "control-1114-stmt", "name": "statement", - "prose": "Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation." + "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." } ] }, { - "id": "control-0286", - "title": "Delivery of evaluated products", + "id": "control-1130", + "title": "Enclosed cable reticulation systems", "parts": [ { - "id": "control-0286-stmt", + "id": "control-1130-stmt", "name": "statement", - "prose": "When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures." + "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." } ] - } - ] - }, - { - "id": "evaluated_product_usage", - "title": "Evaluated product usage", - "controls": [ + }, { - "id": "control-0289", - "title": "Installation and configuration of evaluated products", + "id": "control-1164", + "title": "Covers for enclosed cable reticulation systems", "parts": [ { - "id": "control-0289-stmt", + "id": "control-1164-stmt", "name": "statement", - "prose": "Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation." + "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." } ] }, { - "id": "control-0290", - "title": "Installation and configuration of evaluated products", + "id": "control-0195", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0290-stmt", + "id": "control-0195-stmt", "name": "statement", - "prose": "High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC." + "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on cable reticulation systems." } ] }, { - "id": "control-0292", - "title": "Use of high assurance ICT equipment in unevaluated configurations", + "id": "control-0194", + "title": "Sealing cable reticulation systems and conduits", "parts": [ { - "id": "control-0292-stmt", + "id": "control-0194-stmt", "name": "statement", - "prose": "High assurance ICT equipment is only operated in an evaluated configuration." + "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_networking", - "title": "Guidelines for Networking", - "groups": [ - { - "id": "service_continuity_for_online_services", - "title": "Service continuity for online services", - "controls": [ + }, { - "id": "control-1437", - "title": "Cloud-based hosting of online services", + "id": "control-0201", + "title": "Labelling conduits", "parts": [ { - "id": "control-1437-stmt", + "id": "control-0201-stmt", "name": "statement", - "prose": "A cloud service provider is used for hosting online services." + "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." } ] }, { - "id": "control-1578", - "title": "Location policies for online services", + "id": "control-1115", + "title": "Cables in walls", "parts": [ { - "id": "control-1578-stmt", + "id": "control-1115-stmt", "name": "statement", - "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." + "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." } ] }, { - "id": "control-1579", - "title": "Availability planning and monitoring for online services", + "id": "control-1133", + "title": "Cables in party walls", "parts": [ { - "id": "control-1579-stmt", + "id": "control-1133-stmt", "name": "statement", - "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." + "prose": "In shared non-government facilities, cables are not run in party walls." } ] }, { - "id": "control-1580", - "title": "Availability planning and monitoring for online services", + "id": "control-1122", + "title": "Wall penetrations", "parts": [ { - "id": "control-1580-stmt", + "id": "control-1122-stmt", "name": "statement", - "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." + "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1441", - "title": "Availability planning and monitoring for online services", + "id": "control-1134", + "title": "Wall penetrations", "parts": [ { - "id": "control-1441-stmt", + "id": "control-1134-stmt", "name": "statement", - "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." + "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." } ] }, { - "id": "control-1581", - "title": "Availability planning and monitoring for online services", + "id": "control-1104", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1581-stmt", + "id": "control-1104-stmt", "name": "statement", - "prose": "Organisations perform continuous real-time monitoring of the availability of online services." + "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different classifications." } ] }, { - "id": "control-1438", - "title": "Using content delivery networks", + "id": "control-1105", + "title": "Wall outlet boxes", "parts": [ { - "id": "control-1438-stmt", + "id": "control-1105-stmt", "name": "statement", - "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." + "prose": "Different cables groups do not share a wall outlet box." } ] }, { - "id": "control-1439", - "title": "Using content delivery networks", + "id": "control-1095", + "title": "Labelling wall outlet boxes", "parts": [ { - "id": "control-1439-stmt", + "id": "control-1095-stmt", "name": "statement", - "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." + "prose": "Wall outlet boxes denote the classifications, cable identifiers and wall outlet box identifier." } ] }, { - "id": "control-1431", - "title": "Denial of service strategies", + "id": "control-1107", + "title": "Wall outlet box colours", "parts": [ { - "id": "control-1431-stmt", + "id": "control-1107-stmt", "name": "statement", - "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." + "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." } ] }, { - "id": "control-1458", - "title": "Denial of service strategies", + "id": "control-1109", + "title": "Wall outlet box covers", "parts": [ { - "id": "control-1458-stmt", + "id": "control-1109-stmt", "name": "statement", - "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." + "prose": "Wall outlet box covers are clear plastic." } ] }, { - "id": "control-1432", - "title": "Domain name registrar locking", + "id": "control-0218", + "title": "Fly lead installation", "parts": [ { - "id": "control-1432-stmt", + "id": "control-0218-stmt", "name": "statement", - "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." + "prose": "If fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." } ] }, { - "id": "control-1435", - "title": "Monitoring with real-time alerting for online services", + "id": "control-1102", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1435-stmt", + "id": "control-1102-stmt", "name": "statement", - "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." + "prose": "In non-TOP SECRET areas, cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1436", - "title": "Segregation of critical online services", + "id": "control-1101", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1436-stmt", + "id": "control-1101-stmt", "name": "statement", - "prose": "Critical online services are segregated from other online services that are more likely to be targeted." + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." } ] }, { - "id": "control-1518", - "title": "Preparing for service continuity", + "id": "control-1103", + "title": "Connecting cable reticulation systems to cabinets", "parts": [ { - "id": "control-1518-stmt", + "id": "control-1103-stmt", "name": "statement", - "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." + "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." } ] - } - ] - }, - { - "id": "wireless_networks", - "title": "Wireless networks", - "controls": [ + }, { - "id": "control-1314", - "title": "Choosing wireless devices", + "id": "control-1098", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-1314-stmt", + "id": "control-1098-stmt", "name": "statement", - "prose": "All wireless devices are Wi-Fi Alliance certified." + "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." } ] }, { - "id": "control-0536", - "title": "Wireless networks for public access", + "id": "control-1100", + "title": "Terminating cables in cabinets", "parts": [ { - "id": "control-0536-stmt", + "id": "control-1100-stmt", "name": "statement", - "prose": "Wireless networks provided for the general public to access are segregated from all other networks." + "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." } ] }, { - "id": "control-1315", - "title": "Administrative interfaces for wireless access points", + "id": "control-0213", + "title": "Terminating cable groups on patch panels", "parts": [ { - "id": "control-1315-stmt", + "id": "control-0213-stmt", "name": "statement", - "prose": "The administrative interface on wireless access points is disabled for wireless network connections." + "prose": "Different cable groups do not terminate on the same patch panel." } ] }, { - "id": "control-1316", - "title": "Default settings", + "id": "control-1116", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1316-stmt", + "id": "control-1116-stmt", "name": "statement", - "prose": "The default SSID of wireless access points is changed." + "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." } ] }, { - "id": "control-1317", - "title": "Default settings", + "id": "control-0216", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1317-stmt", + "id": "control-0216-stmt", "name": "statement", - "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." + "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." } ] }, { - "id": "control-1318", - "title": "Default settings", + "id": "control-0217", + "title": "Physical separation of cabinets and patch panels", "parts": [ { - "id": "control-1318-stmt", + "id": "control-0217-stmt", "name": "statement", - "prose": "SSID broadcasting is enabled on wireless networks." + "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." } ] }, { - "id": "control-1709", - "title": "Default settings", + "id": "control-0198", + "title": "Audio secure spaces", "parts": [ { - "id": "control-1709-stmt", + "id": "control-0198-stmt", "name": "statement", - "prose": "Default accounts and passphrases of wireless devices are changed." + "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." } ] }, { - "id": "control-1710", - "title": "Default settings", + "id": "control-1123", + "title": "Power reticulation", "parts": [ { - "id": "control-1710-stmt", + "id": "control-1123-stmt", "name": "statement", - "prose": "Configuration settings for wireless devices are hardened." + "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] }, { - "id": "control-1319", - "title": "Static addressing", + "id": "control-1135", + "title": "Power reticulation", "parts": [ { - "id": "control-1319-stmt", + "id": "control-1135-stmt", "name": "statement", - "prose": "Static addressing is not used for assigning IP addresses on wireless networks." + "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_outsourcing", + "title": "Guidelines for Outsourcing", + "groups": [ + { + "id": "information_technology_and_cloud_services", + "title": "Information technology and cloud services", + "controls": [ { - "id": "control-1320", - "title": "Media Access Control address filtering", + "id": "control-1631", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1320-stmt", + "id": "control-1631-stmt", "name": "statement", - "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." + "prose": "Components and services relevant to the security of systems are identified and understood." } ] }, { - "id": "control-1332", - "title": "Confidentiality and integrity of wireless network traffic", + "id": "control-1452", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1332-stmt", + "id": "control-1452-stmt", "name": "statement", - "prose": "WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic." + "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." } ] }, { - "id": "control-1321", - "title": "802.1X authentication", + "id": "control-1567", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1321-stmt", + "id": "control-1567-stmt", "name": "statement", - "prose": "802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers." + "prose": "Suppliers and service providers identified as high risk are not used." } ] }, { - "id": "control-1711", - "title": "802.1X authentication", + "id": "control-1568", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1711-stmt", + "id": "control-1568-stmt", "name": "statement", - "prose": "User identity confidentiality is used if available with EAP-TLS implementations." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." } ] }, { - "id": "control-1322", - "title": "Evaluation of 802.1X authentication implementation", + "id": "control-1632", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1322-stmt", + "id": "control-1632-stmt", "name": "statement", - "prose": "Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks." + "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." } ] }, { - "id": "control-1324", - "title": "Generating and issuing certificates for authentication", + "id": "control-1569", + "title": "Cyber supply chain risk management", "parts": [ { - "id": "control-1324-stmt", + "id": "control-1569-stmt", "name": "statement", - "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." + "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." } ] }, { - "id": "control-1323", - "title": "Generating and issuing certificates for authentication", + "id": "control-0100", + "title": "Outsourced gateway services", "parts": [ { - "id": "control-1323-stmt", + "id": "control-0100-stmt", "name": "statement", - "prose": "Certificates are required for both devices and users accessing wireless networks." + "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Infosec Registered Assessors Program (IRAP) assessors at least every 24 months." } ] }, { - "id": "control-1327", - "title": "Generating and issuing certificates for authentication", + "id": "control-1637", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1327-stmt", + "id": "control-1637-stmt", "name": "statement", - "prose": "Certificates are protected by encryption, user authentication, and both logical and physical access controls." + "prose": "An outsourced cloud services register is maintained and regularly audited." } ] }, { - "id": "control-1330", - "title": "Caching 802.1X authentication outcomes", + "id": "control-1638", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1330-stmt", + "id": "control-1638-stmt", "name": "statement", - "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." + "prose": "An outsourced cloud services register contains the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of data involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." } ] }, { - "id": "control-1712", - "title": "Fast Basic Service Set Transition", + "id": "control-1570", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1712-stmt", + "id": "control-1570-stmt", "name": "statement", - "prose": "The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an AACP." + "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." } ] }, { - "id": "control-1454", - "title": "Remote Authentication Dial-In User Service authentication", + "id": "control-1529", + "title": "Outsourced cloud services", "parts": [ { - "id": "control-1454-stmt", + "id": "control-1529-stmt", "name": "statement", - "prose": "Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over IPsec or RADIUS over TLS." + "prose": "Only community or private clouds are used for outsourced cloud services." } ] }, { - "id": "control-1334", - "title": "Interference between wireless networks", + "id": "control-1395", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1334-stmt", + "id": "control-1395-stmt", "name": "statement", - "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." + "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified data entrusted to them or their services." } ] }, { - "id": "control-1335", - "title": "Protecting management frames on wireless networks", + "id": "control-0072", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1335-stmt", + "id": "control-0072-stmt", "name": "statement", - "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." + "prose": "Security requirements associated with the confidentiality, integrity and availability of data entrusted to a service provider are documented in contractual arrangements." } ] }, { - "id": "control-1338", - "title": "Wireless network footprint", + "id": "control-1571", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1338-stmt", + "id": "control-1571-stmt", "name": "statement", - "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." + "prose": "The right to audit security controls associated with the protection of data and services is specified in contractual arrangements." } ] }, { - "id": "control-1013", - "title": "Wireless network footprint", + "id": "control-1451", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1013-stmt", + "id": "control-1451-stmt", "name": "statement", - "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." + "prose": "Types of data and its ownership is documented in contractual arrangements." } ] - } - ] - }, - { - "id": "network_design_and_configuration", - "title": "Network design and configuration", - "controls": [ + }, { - "id": "control-0516", - "title": "Network documentation", + "id": "control-1572", + "title": "Contractual security requirements", "parts": [ { - "id": "control-0516-stmt", + "id": "control-1572-stmt", "name": "statement", - "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." + "prose": "The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements." } ] }, { - "id": "control-0518", - "title": "Network documentation", + "id": "control-1573", + "title": "Contractual security requirements", "parts": [ { - "id": "control-0518-stmt", + "id": "control-1573-stmt", "name": "statement", - "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." + "prose": "Access to all logs relating to an organisation’s data and services are specified in contractual arrangements." } ] }, { - "id": "control-1178", - "title": "Network documentation", + "id": "control-1574", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1178-stmt", + "id": "control-1574-stmt", "name": "statement", - "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." + "prose": "Data entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of data." } ] }, { - "id": "control-1181", - "title": "Network segmentation and segregation", + "id": "control-1575", + "title": "Contractual security requirements", "parts": [ { - "id": "control-1181-stmt", + "id": "control-1575-stmt", "name": "statement", - "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of data or services." + "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." } ] }, { - "id": "control-1577", - "title": "Network segmentation and segregation", + "id": "control-1073", + "title": "Access to systems and data by service providers", "parts": [ { - "id": "control-1577-stmt", + "id": "control-1073-stmt", "name": "statement", - "prose": "Organisation networks are segregated from service provider networks." + "prose": "An organisation’s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." } ] }, { - "id": "control-1532", - "title": "Using Virtual Local Area Networks", + "id": "control-1576", + "title": "Access to systems and data by service providers", "parts": [ { - "id": "control-1532-stmt", + "id": "control-1576-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." + "prose": "If an organisation’s systems or data are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_hardening", + "title": "Guidelines for System Hardening", + "groups": [ + { + "id": "application_hardening", + "title": "Application hardening", + "controls": [ { - "id": "control-0529", - "title": "Using Virtual Local Area Networks", + "id": "control-0938", + "title": "Application selection", "parts": [ { - "id": "control-0529-stmt", + "id": "control-0938-stmt", "name": "statement", - "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." + "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." } ] }, { - "id": "control-1364", - "title": "Using Virtual Local Area Networks", + "id": "control-1467", + "title": "Application versions", "parts": [ { - "id": "control-1364-stmt", + "id": "control-1467-stmt", "name": "statement", - "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." + "prose": "The latest releases of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used when present within SOEs." } ] }, { - "id": "control-0535", - "title": "Using Virtual Local Area Networks", + "id": "control-1483", + "title": "Application versions", "parts": [ { - "id": "control-0535-stmt", + "id": "control-1483-stmt", "name": "statement", - "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." + "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." } ] }, { - "id": "control-0530", - "title": "Using Virtual Local Area Networks", + "id": "control-1486", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0530-stmt", + "id": "control-1486-stmt", "name": "statement", - "prose": "Network devices implementing VLANs are managed from the most trusted network." + "prose": "Web browsers do not process Java from the internet." } ] }, { - "id": "control-0521", - "title": "Using Internet Protocol version 6", + "id": "control-1485", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0521-stmt", + "id": "control-1485-stmt", "name": "statement", - "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." + "prose": "Web browsers do not process web advertisements from the internet." } ] }, { - "id": "control-1186", - "title": "Using Internet Protocol version 6", + "id": "control-1666", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1186-stmt", + "id": "control-1666-stmt", "name": "statement", - "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." + "prose": "Internet Explorer 11 does not process content from the internet." } ] }, { - "id": "control-1428", - "title": "Using Internet Protocol version 6", + "id": "control-1667", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1428-stmt", + "id": "control-1667-stmt", "name": "statement", - "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." + "prose": "Microsoft Office is blocked from creating child processes." } ] }, { - "id": "control-1429", - "title": "Using Internet Protocol version 6", + "id": "control-1668", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1429-stmt", + "id": "control-1668-stmt", "name": "statement", - "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." + "prose": "Microsoft Office is blocked from creating executable content." } ] }, { - "id": "control-1430", - "title": "Using Internet Protocol version 6", + "id": "control-1669", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1430-stmt", + "id": "control-1669-stmt", "name": "statement", - "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised logging facility." + "prose": "Microsoft Office is blocked from injecting code into other processes." } ] }, { - "id": "control-0520", - "title": "Network access controls", + "id": "control-1542", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0520-stmt", + "id": "control-1542-stmt", "name": "statement", - "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." + "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." } ] }, { - "id": "control-1182", - "title": "Network access controls", + "id": "control-1670", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1182-stmt", + "id": "control-1670-stmt", "name": "statement", - "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." + "prose": "PDF software is blocked from creating child processes." } ] }, { - "id": "control-1301", - "title": "Network device register", + "id": "control-1412", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1301-stmt", + "id": "control-1412-stmt", "name": "statement", - "prose": "A network device register is maintained and regularly audited." + "prose": "ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented." } ] }, { - "id": "control-1304", - "title": "Default accounts for network devices", + "id": "control-1470", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1304-stmt", + "id": "control-1470-stmt", "name": "statement", - "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." + "prose": "Any unrequired functionality in web browsers, Microsoft Office and PDF software is disabled." } ] }, { - "id": "control-0534", - "title": "Disabling unused physical ports on network devices", + "id": "control-1235", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0534-stmt", + "id": "control-1235-stmt", "name": "statement", - "prose": "Unused physical ports on network devices are disabled." + "prose": "The use of web browser, Microsoft Office and PDF software add-ons is restricted to organisation approved add-ons." } ] }, { - "id": "control-0385", - "title": "Functional separation between servers", + "id": "control-1601", + "title": "Hardening application configurations", "parts": [ { - "id": "control-0385-stmt", + "id": "control-1601-stmt", "name": "statement", - "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." + "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." } ] }, { - "id": "control-1479", - "title": "Functional separation between servers", + "id": "control-1585", + "title": "Hardening application configurations", "parts": [ { - "id": "control-1479-stmt", + "id": "control-1585-stmt", "name": "statement", - "prose": "Servers minimise communications with other servers at both the network and file system level." + "prose": "Web browsers, Microsoft Office and PDF software security settings cannot be changed by users." } ] }, { - "id": "control-1006", - "title": "Management traffic", + "id": "control-1671", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1006-stmt", + "id": "control-1671-stmt", "name": "statement", - "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." + "prose": "Microsoft Office macros are disabled for users that do not have a demonstrated business requirement." } ] }, { - "id": "control-1311", - "title": "Use of Simple Network Management Protocol", + "id": "control-1488", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1311-stmt", + "id": "control-1488-stmt", "name": "statement", - "prose": "SNMP version 1 and 2 are not used on networks." + "prose": "Microsoft Office macros in files originating from the internet are blocked." } ] }, { - "id": "control-1312", - "title": "Use of Simple Network Management Protocol", + "id": "control-1672", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1312-stmt", + "id": "control-1672-stmt", "name": "statement", - "prose": "All default SNMP community strings on network devices are changed and have write access disabled." + "prose": "Microsoft Office macro antivirus scanning is enabled." } ] }, { - "id": "control-1028", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1673", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1028-stmt", + "id": "control-1673-stmt", "name": "statement", - "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." + "prose": "Microsoft Office macros are blocked from making Win32 API calls." } ] }, { - "id": "control-1030", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1674", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1030-stmt", + "id": "control-1674-stmt", "name": "statement", - "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any data flows that contravene any rule in firewall rule sets." + "prose": "Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute." } ] }, { - "id": "control-1185", - "title": "Using Network-based Intrusion Detection and Prevention Systems", + "id": "control-1487", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1185-stmt", + "id": "control-1487-stmt", "name": "statement", - "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." + "prose": "Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations." } ] }, { - "id": "control-1627", - "title": "Blocking anonymity network traffic", + "id": "control-1675", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1627-stmt", + "id": "control-1675-stmt", "name": "statement", - "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." + "prose": "Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View." } ] }, { - "id": "control-1628", - "title": "Blocking anonymity network traffic", + "id": "control-1676", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1628-stmt", + "id": "control-1676-stmt", "name": "statement", - "prose": "Outbound network connections to anonymity networks are blocked." + "prose": "Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_software_development", - "title": "Guidelines for Software Development", - "groups": [ - { - "id": "web_application_development", - "title": "Web application development", - "controls": [ + }, { - "id": "control-1239", - "title": "Web application frameworks", + "id": "control-1489", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1239-stmt", + "id": "control-1489-stmt", "name": "statement", - "prose": "Robust web application frameworks are used to aid in the development of secure web applications." + "prose": "Microsoft Office macro security settings cannot be changed by users." } ] }, { - "id": "control-1552", - "title": "Web application interactions", + "id": "control-1677", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1552-stmt", + "id": "control-1677-stmt", "name": "statement", - "prose": "All web application content is offered exclusively using HTTPS." + "prose": "Allowed and blocked Microsoft Office macro executions are logged." } ] }, { - "id": "control-1240", - "title": "Web application input handling", + "id": "control-1678", + "title": "Microsoft Office macros", "parts": [ { - "id": "control-1240-stmt", + "id": "control-1678-stmt", "name": "statement", - "prose": "Validation and/or sanitisation is performed on all input handled by a web application." + "prose": "Microsoft Office macro event logs are logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." } ] - }, + } + ] + }, + { + "id": "operating_system_hardening", + "title": "Operating system hardening", + "controls": [ { - "id": "control-1241", - "title": "Web application output encoding", + "id": "control-1406", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1241-stmt", + "id": "control-1406-stmt", "name": "statement", - "prose": "Output encoding is performed on all output produced by a web application." + "prose": "SOEs are used for workstations and servers." } ] }, { - "id": "control-1424", - "title": "Web browser-based security controls", + "id": "control-1608", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-1424-stmt", + "id": "control-1608-stmt", "name": "statement", - "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." + "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." } ] }, { - "id": "control-0971", - "title": "Open Web Application Security Project", + "id": "control-1588", + "title": "Standard Operating Environments", "parts": [ { - "id": "control-0971-stmt", + "id": "control-1588-stmt", "name": "statement", - "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." + "prose": "SOEs are reviewed and updated at least annually." } ] - } - ] - }, - { - "id": "application_development", - "title": "Application development", - "controls": [ + }, { - "id": "control-0400", - "title": "Development environments", + "id": "control-1407", + "title": "Operating system releases and versions", "parts": [ { - "id": "control-0400-stmt", + "id": "control-1407-stmt", "name": "statement", - "prose": "Development, testing and production environments are segregated." + "prose": "The latest release, or the previous release, of operating systems are used for workstations, servers and network devices." } ] }, { - "id": "control-1419", - "title": "Development environments", + "id": "control-1408", + "title": "Operating system releases and versions", "parts": [ { - "id": "control-1419-stmt", + "id": "control-1408-stmt", "name": "statement", - "prose": "Development and modification of software only takes place in development environments." + "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." } ] }, { - "id": "control-1420", - "title": "Development environments", + "id": "control-1409", + "title": "Operating system configuration", "parts": [ { - "id": "control-1420-stmt", + "id": "control-1409-stmt", "name": "statement", - "prose": "Data in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." + "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." } ] }, { - "id": "control-1422", - "title": "Development environments", + "id": "control-0383", + "title": "Operating system configuration", "parts": [ { - "id": "control-1422-stmt", + "id": "control-0383-stmt", "name": "statement", - "prose": "Unauthorised access to the authoritative source for software is prevented." + "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1238", - "title": "Secure software design", + "id": "control-0380", + "title": "Operating system configuration", "parts": [ { - "id": "control-1238-stmt", + "id": "control-0380-stmt", "name": "statement", - "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." + "prose": "Unneeded operating system accounts, software, components, services and functionality are disabled or removed." } ] }, { - "id": "control-0401", - "title": "Secure programming practices", + "id": "control-1654", + "title": "Operating system configuration", "parts": [ { - "id": "control-0401-stmt", + "id": "control-1654-stmt", "name": "statement", - "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." + "prose": "Internet Explorer 11 is disabled or removed." } ] }, { - "id": "control-0402", - "title": "Software testing", + "id": "control-1655", + "title": "Operating system configuration", "parts": [ { - "id": "control-0402-stmt", + "id": "control-1655-stmt", "name": "statement", - "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." + "prose": ".NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed." } ] }, { - "id": "control-1616", - "title": "Vulnerability disclosure program", + "id": "control-1584", + "title": "Operating system configuration", "parts": [ { - "id": "control-1616-stmt", + "id": "control-1584-stmt", "name": "statement", - "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." + "prose": "Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_systems", - "title": "Guidelines for Communications Systems", - "groups": [ - { - "id": "video_conferencing_and_internet_protocol_telephony", - "title": "Video conferencing and Internet Protocol telephony", - "controls": [ + }, { - "id": "control-1562", - "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", + "id": "control-1491", + "title": "Operating system configuration", "parts": [ { - "id": "control-1562-stmt", + "id": "control-1491-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony infrastructure is hardened." + "prose": "Unprivileged users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." } ] }, { - "id": "control-0546", - "title": "Video and voice-aware firewalls", + "id": "control-1410", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0546-stmt", + "id": "control-1410-stmt", "name": "statement", - "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." + "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." } ] }, { - "id": "control-0547", - "title": "Protecting video conferencing and Internet Protocol telephony traffic", + "id": "control-1469", + "title": "Local administrator accounts", "parts": [ { - "id": "control-0547-stmt", + "id": "control-1469-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony signalling and data is encrypted." + "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." } ] }, { - "id": "control-0548", - "title": "Establishment of secure signalling and data protocols", + "id": "control-1592", + "title": "Application management", "parts": [ { - "id": "control-0548-stmt", + "id": "control-1592-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." + "prose": "Users do not have the ability to install unapproved software." } ] }, { - "id": "control-0554", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0382", + "title": "Application management", "parts": [ { - "id": "control-0554-stmt", + "id": "control-0382-stmt", "name": "statement", - "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." + "prose": "Users do not have the ability to uninstall or disable approved software." } ] }, { - "id": "control-0553", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-0843", + "title": "Application control", "parts": [ { - "id": "control-0553-stmt", + "id": "control-0843-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." + "prose": "Application control is implemented on workstations." } ] }, { - "id": "control-0555", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1490", + "title": "Application control", "parts": [ { - "id": "control-0555-stmt", + "id": "control-1490-stmt", "name": "statement", - "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." + "prose": "Application control is implemented on internet-facing servers." } ] }, { - "id": "control-0551", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1656", + "title": "Application control", "parts": [ { - "id": "control-0551-stmt", + "id": "control-1656-stmt", "name": "statement", - "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." + "prose": "Application control is implemented on non-internet-facing servers." } ] }, { - "id": "control-1014", - "title": "Video conferencing unit and Internet Protocol phone authentication", + "id": "control-1657", + "title": "Application control", "parts": [ { - "id": "control-1014-stmt", + "id": "control-1657-stmt", "name": "statement", - "prose": "Individual logins are used for IP phones." + "prose": "Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set." } ] }, { - "id": "control-0549", - "title": "Traffic separation", + "id": "control-1658", + "title": "Application control", "parts": [ { - "id": "control-0549-stmt", + "id": "control-1658-stmt", "name": "statement", - "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." + "prose": "Application control restricts the execution of drivers to an organisation-approved set." } ] }, { - "id": "control-0556", - "title": "Traffic separation", + "id": "control-0955", + "title": "Application control", "parts": [ { - "id": "control-0556-stmt", + "id": "control-0955-stmt", "name": "statement", - "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." + "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." } ] }, { - "id": "control-1015", - "title": "Internet Protocol phones in public areas", + "id": "control-1582", + "title": "Application control", "parts": [ { - "id": "control-1015-stmt", + "id": "control-1582-stmt", "name": "statement", - "prose": "Traditional analog phones are used in public areas." + "prose": "Application control rulesets are validated on an annual or more frequent basis." } ] }, { - "id": "control-0558", - "title": "Internet Protocol phones in public areas", + "id": "control-1471", + "title": "Application control", "parts": [ { - "id": "control-0558-stmt", + "id": "control-1471-stmt", "name": "statement", - "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." + "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." } ] }, { - "id": "control-0559", - "title": "Microphones and webcams", + "id": "control-1392", + "title": "Application control", "parts": [ { - "id": "control-0559-stmt", + "id": "control-1392-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." + "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." } ] }, { - "id": "control-1450", - "title": "Microphones and webcams", + "id": "control-1544", + "title": "Application control", "parts": [ { - "id": "control-1450-stmt", + "id": "control-1544-stmt", "name": "statement", - "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." + "prose": "Microsoft’s ‘recommended block rules’ are implemented." } ] }, { - "id": "control-1019", - "title": "Developing a denial of service response plan", + "id": "control-1659", + "title": "Application control", "parts": [ { - "id": "control-1019-stmt", + "id": "control-1659-stmt", "name": "statement", - "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." + "prose": "Microsoft’s ‘recommended driver block rules’ are implemented." } ] - } - ] - }, - { - "id": "telephone_systems", - "title": "Telephone systems", - "controls": [ + }, { - "id": "control-1078", - "title": "Telephone systems usage policy", + "id": "control-0846", + "title": "Application control", "parts": [ { - "id": "control-1078-stmt", + "id": "control-0846-stmt", "name": "statement", - "prose": "A telephone systems usage policy is developed and implemented." + "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." } ] }, { - "id": "control-0229", - "title": "Personnel awareness", + "id": "control-1660", + "title": "Application control", "parts": [ { - "id": "control-0229-stmt", + "id": "control-1660-stmt", "name": "statement", - "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." + "prose": "Allowed and blocked executions on workstations are logged." } ] }, { - "id": "control-0230", - "title": "Personnel awareness", + "id": "control-1661", + "title": "Application control", "parts": [ { - "id": "control-0230-stmt", + "id": "control-1661-stmt", "name": "statement", - "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." + "prose": "Allowed and blocked executions on internet-facing servers are logged." } ] }, { - "id": "control-0231", - "title": "Visual indication", + "id": "control-1662", + "title": "Application control", "parts": [ { - "id": "control-0231-stmt", + "id": "control-1662-stmt", "name": "statement", - "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." + "prose": "Allowed and blocked executions on non-internet facing servers are logged." } ] }, { - "id": "control-0232", - "title": "Protecting conversations", + "id": "control-0957", + "title": "Application control", "parts": [ { - "id": "control-0232-stmt", + "id": "control-0957-stmt", "name": "statement", - "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." + "prose": "Application control event logs including the name of the file, the date/time stamp and the username of the user associated with the event." } ] }, { - "id": "control-0233", - "title": "Cordless telephone systems", + "id": "control-1663", + "title": "Application control", "parts": [ { - "id": "control-0233-stmt", + "id": "control-1663-stmt", "name": "statement", - "prose": "Cordless telephone systems are not used for sensitive or classified conversations." + "prose": "Application control event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." } ] }, { - "id": "control-0235", - "title": "Speakerphones", + "id": "control-1492", + "title": "Exploit protection", "parts": [ { - "id": "control-0235-stmt", + "id": "control-1492-stmt", "name": "statement", - "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." + "prose": "Microsoft’s exploit protection functionality is implemented on workstations and servers." } ] }, { - "id": "control-0236", - "title": "Off-hook audio protection", + "id": "control-1621", + "title": "PowerShell", "parts": [ { - "id": "control-0236-stmt", + "id": "control-1621-stmt", "name": "statement", - "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." + "prose": "Windows PowerShell 2.0 is disabled or removed." } ] }, { - "id": "control-0931", - "title": "Off-hook audio protection", + "id": "control-1622", + "title": "PowerShell", "parts": [ { - "id": "control-0931-stmt", + "id": "control-1622-stmt", "name": "statement", - "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." + "prose": "PowerShell is configured to use Constrained Language Mode." } ] }, { - "id": "control-0237", - "title": "Off-hook audio protection", + "id": "control-1623", + "title": "PowerShell", "parts": [ { - "id": "control-0237-stmt", + "id": "control-1623-stmt", "name": "statement", - "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." + "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." } ] - } - ] - }, - { - "id": "fax_machines_and_multifunction_devices", - "title": "Fax machines and multifunction devices", - "controls": [ + }, { - "id": "control-0588", - "title": "Fax machine and multifunction device usage policy", + "id": "control-1624", + "title": "PowerShell", "parts": [ { - "id": "control-0588-stmt", + "id": "control-1624-stmt", "name": "statement", - "prose": "A fax machine and MFD usage policy is developed and implemented." + "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." } ] }, { - "id": "control-1092", - "title": "Sending fax messages", + "id": "control-1664", + "title": "PowerShell", "parts": [ { - "id": "control-1092-stmt", + "id": "control-1664-stmt", "name": "statement", - "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." + "prose": "Blocked PowerShell script executions are logged." } ] }, { - "id": "control-0241", - "title": "Sending fax messages", + "id": "control-1665", + "title": "PowerShell", "parts": [ { - "id": "control-0241-stmt", + "id": "control-1665-stmt", "name": "statement", - "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." + "prose": "PowerShell event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." } ] }, { - "id": "control-1075", - "title": "Receiving fax messages", + "id": "control-1341", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-1075-stmt", + "id": "control-1341-stmt", "name": "statement", - "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." + "prose": "A HIPS is implemented on workstations." } ] }, { - "id": "control-0590", - "title": "Connecting multifunction devices to networks", + "id": "control-1034", + "title": "Host-based Intrusion Prevention System", "parts": [ { - "id": "control-0590-stmt", + "id": "control-1034-stmt", "name": "statement", - "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." + "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." } ] }, { - "id": "control-0245", - "title": "Connecting multifunction devices to both networks and digital telephone systems", + "id": "control-1416", + "title": "Software firewall", "parts": [ { - "id": "control-0245-stmt", + "id": "control-1416-stmt", "name": "statement", - "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." + "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." } ] }, { - "id": "control-0589", - "title": "Copying documents on multifunction devices", + "id": "control-1417", + "title": "Antivirus software", "parts": [ { - "id": "control-0589-stmt", + "id": "control-1417-stmt", "name": "statement", - "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." + "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• ransomware protection measures enabled\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." } ] }, { - "id": "control-1036", - "title": "Observing fax machine and multifunction device use", + "id": "control-1390", + "title": "Antivirus software", "parts": [ { - "id": "control-1036-stmt", + "id": "control-1390-stmt", "name": "statement", - "prose": "Fax machines and MFDs are located in areas where their use can be observed." + "prose": "Antivirus software has reputation rating functionality enabled." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_database_systems", - "title": "Guidelines for Database Systems", - "groups": [ - { - "id": "database_servers", - "title": "Database servers", - "controls": [ + }, { - "id": "control-1425", - "title": "Protecting database server contents", + "id": "control-1418", + "title": "Device access control software", "parts": [ { - "id": "control-1425-stmt", + "id": "control-1418-stmt", "name": "statement", - "prose": "Hard disks of database servers are encrypted using full disk encryption." + "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." } ] }, { - "id": "control-1269", - "title": "Functional separation between database servers and web servers", + "id": "control-0345", + "title": "Device access control software", "parts": [ { - "id": "control-1269-stmt", + "id": "control-0345-stmt", "name": "statement", - "prose": "Database servers and web servers are functionally separated, physically or virtually." + "prose": "External interfaces of workstations and servers that allow DMA are disabled." } ] - }, + } + ] + }, + { + "id": "authentication_hardening", + "title": "Authentication hardening", + "controls": [ { - "id": "control-1277", - "title": "Communications between database servers and web servers", + "id": "control-1546", + "title": "Authenticating to systems", "parts": [ { - "id": "control-1277-stmt", + "id": "control-1546-stmt", "name": "statement", - "prose": "Data communicated between database servers and web applications is encrypted." + "prose": "Users are authenticated before they are granted access to a system and its resources." } ] }, { - "id": "control-1270", - "title": "Network environment", + "id": "control-0974", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1270-stmt", + "id": "control-0974-stmt", "name": "statement", - "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." + "prose": "Multi-factor authentication is used to authenticate unprivileged users of systems." } ] }, { - "id": "control-1271", - "title": "Network environment", + "id": "control-1173", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1271-stmt", + "id": "control-1173-stmt", "name": "statement", - "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." + "prose": "Multi-factor authentication is used to authenticate privileged users of systems." } ] }, { - "id": "control-1272", - "title": "Network environment", + "id": "control-1504", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1272-stmt", + "id": "control-1504-stmt", "name": "statement", - "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." + "prose": "Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services." } ] }, { - "id": "control-1273", - "title": "Separation of production, test and development database servers", + "id": "control-1679", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1273-stmt", + "id": "control-1679-stmt", "name": "statement", - "prose": "Test and development environments do not use the same database servers as production environments." + "prose": "Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data." } ] - } - ] - }, - { - "id": "database_management_system_software", - "title": "Database management system software", - "controls": [ + }, { - "id": "control-1245", - "title": "Temporary installation files and logs", + "id": "control-1680", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1245-stmt", + "id": "control-1680-stmt", "name": "statement", - "prose": "All temporary installation files and logs are removed after DBMS software has been installed." + "prose": "Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data." } ] }, { - "id": "control-1246", - "title": "Hardening and configuration", + "id": "control-1681", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1246-stmt", + "id": "control-1681-stmt", "name": "statement", - "prose": "DBMS software is configured according to vendor guidance." + "prose": "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services." } ] }, { - "id": "control-1247", - "title": "Hardening and configuration", + "id": "control-1505", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1247-stmt", + "id": "control-1505-stmt", "name": "statement", - "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." + "prose": "Multi-factor authentication is used to authenticate users accessing important data repositories." } ] }, { - "id": "control-1249", - "title": "Restricting privileges", + "id": "control-1401", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1249-stmt", + "id": "control-1401-stmt", "name": "statement", - "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." + "prose": "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." } ] }, { - "id": "control-1250", - "title": "Restricting privileges", + "id": "control-1682", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1250-stmt", + "id": "control-1682-stmt", "name": "statement", - "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." + "prose": "Multi-factor authentication is verifier impersonation resistant." } ] }, { - "id": "control-1251", - "title": "Restricting privileges", + "id": "control-1559", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1251-stmt", + "id": "control-1559-stmt", "name": "statement", - "prose": "The ability of DBMS software to read local files from a server is disabled." + "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." } ] }, { - "id": "control-1260", - "title": "Database administrator accounts", + "id": "control-1560", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1260-stmt", + "id": "control-1560-stmt", "name": "statement", - "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." + "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." } ] }, { - "id": "control-1262", - "title": "Database administrator accounts", + "id": "control-1561", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1262-stmt", + "id": "control-1561-stmt", "name": "statement", - "prose": "Database administrators have unique and identifiable accounts." + "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." } ] }, { - "id": "control-1261", - "title": "Database administrator accounts", + "id": "control-1357", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1261-stmt", + "id": "control-1357-stmt", "name": "statement", - "prose": "Database administrator accounts are not shared across different databases." + "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." } ] }, { - "id": "control-1263", - "title": "Database administrator accounts", + "id": "control-1683", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1263-stmt", + "id": "control-1683-stmt", "name": "statement", - "prose": "Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases." + "prose": "Successful and unsuccessful multi-factor authentications are logged." } ] }, { - "id": "control-1264", - "title": "Database administrator accounts", + "id": "control-1684", + "title": "Multi-factor authentication", "parts": [ { - "id": "control-1264-stmt", + "id": "control-1684-stmt", "name": "statement", - "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." + "prose": "Multi-factor authentication event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." } ] - } - ] - }, - { - "id": "databases", - "title": "Databases", - "controls": [ + }, { - "id": "control-1243", - "title": "Database register", + "id": "control-0417", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1243-stmt", + "id": "control-0417-stmt", "name": "statement", - "prose": "A database register is maintained and regularly audited." + "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." } ] }, { - "id": "control-1256", - "title": "Protecting databases", + "id": "control-0421", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1256-stmt", + "id": "control-0421-stmt", "name": "statement", - "prose": "File-based access controls are applied to database files." + "prose": "Passphrases used for single-factor authentication are 4 random words with a minimum length of 14 characters." } ] }, { - "id": "control-1252", - "title": "Protecting authentication credentials in databases", + "id": "control-1557", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1252-stmt", + "id": "control-1557-stmt", "name": "statement", - "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Passphrases used for single-factor authentication are 5 random words with a minimum length of 17 characters." } ] }, { - "id": "control-0393", - "title": "Protecting database contents", + "id": "control-0422", + "title": "Single-factor authentication", "parts": [ { - "id": "control-0393-stmt", + "id": "control-0422-stmt", "name": "statement", - "prose": "Databases and their contents are classified based on the sensitivity or classification of data that they contain." + "prose": "Passphrases used for single-factor authentication are 6 random words with a minimum length of 20 characters." } ] }, { - "id": "control-1255", - "title": "Protecting database contents", + "id": "control-1558", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1255-stmt", + "id": "control-1558-stmt", "name": "statement", - "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." + "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." } ] }, { - "id": "control-1268", - "title": "Protecting database contents", + "id": "control-1596", + "title": "Single-factor authentication", "parts": [ { - "id": "control-1268-stmt", + "id": "control-1596-stmt", "name": "statement", - "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." + "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." } ] }, { - "id": "control-1258", - "title": "Aggregation of database contents", + "id": "control-1227", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1258-stmt", + "id": "control-1227-stmt", "name": "statement", - "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of data from within databases could lead to a database user determining more sensitive or classified data, database views in combination with database user access roles are implemented." + "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." } ] }, { - "id": "control-1274", - "title": "Separation of production, test and development databases", + "id": "control-1593", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1274-stmt", + "id": "control-1593-stmt", "name": "statement", - "prose": "Data in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." + "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." } ] }, { - "id": "control-1275", - "title": "Web application interaction with databases", + "id": "control-1594", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1275-stmt", + "id": "control-1594-stmt", "name": "statement", - "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." + "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." } ] }, { - "id": "control-1276", - "title": "Web application interaction with databases", + "id": "control-1595", + "title": "Setting and resetting credentials for user accounts", "parts": [ { - "id": "control-1276-stmt", + "id": "control-1595-stmt", "name": "statement", - "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." + "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." } ] }, { - "id": "control-1278", - "title": "Web application interaction with databases", + "id": "control-1619", + "title": "Setting and resetting credentials for service accounts", "parts": [ { - "id": "control-1278-stmt", + "id": "control-1619-stmt", "name": "statement", - "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." + "prose": "Service accounts are created as group Managed Service Accounts." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_email", - "title": "Guidelines for Email", - "groups": [ - { - "id": "email_usage", - "title": "Email usage", - "controls": [ + }, { - "id": "control-0264", - "title": "Email usage policy", + "id": "control-1403", + "title": "Account lockouts", "parts": [ { - "id": "control-0264-stmt", + "id": "control-1403-stmt", "name": "statement", - "prose": "An email usage policy is developed and implemented." + "prose": "Accounts are locked out after a maximum of five failed logon attempts." } ] }, { - "id": "control-0267", - "title": "Webmail services", + "id": "control-0431", + "title": "Account lockouts", "parts": [ { - "id": "control-0267-stmt", + "id": "control-0431-stmt", "name": "statement", - "prose": "Access to non-approved webmail services is blocked." + "prose": "Repeated account lockouts are investigated before reauthorising access." } ] }, { - "id": "control-0270", - "title": "Protective markings for emails", + "id": "control-0976", + "title": "Account unlocks", "parts": [ { - "id": "control-0270-stmt", + "id": "control-0976-stmt", "name": "statement", - "prose": "Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments." + "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." } ] }, { - "id": "control-0271", - "title": "Protective marking tools", + "id": "control-1603", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0271-stmt", + "id": "control-1603-stmt", "name": "statement", - "prose": "Protective marking tools do not automatically insert protective markings into emails." + "prose": "Authentication methods susceptible to replay attacks are disabled." } ] }, { - "id": "control-0272", - "title": "Protective marking tools", + "id": "control-1055", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-0272-stmt", + "id": "control-1055-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate." + "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." } ] }, { - "id": "control-1089", - "title": "Protective marking tools", + "id": "control-1620", + "title": "Insecure authentication methods", "parts": [ { - "id": "control-1089-stmt", + "id": "control-1620-stmt", "name": "statement", - "prose": "Protective marking tools do not allow users replying to or forwarding an email to select a protective marking that is lower than previously used for the email." + "prose": "Privileged accounts are members of the Protected Users security group." } ] }, { - "id": "control-0565", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-1685", + "title": "Protecting credentials", "parts": [ { - "id": "control-0565-stmt", + "id": "control-1685-stmt", "name": "statement", - "prose": "Email servers are configured to block, log and report emails with inappropriate protective markings." + "prose": "Credentials for local administrator accounts and service accounts are unique, unpredictable and managed." } ] }, { - "id": "control-1023", - "title": "Handling emails with inappropriate, invalid or missing protective markings", + "id": "control-0418", + "title": "Protecting credentials", "parts": [ { - "id": "control-1023-stmt", + "id": "control-0418-stmt", "name": "statement", - "prose": "The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified." + "prose": "Credentials are stored separately from systems to which they grant access." } ] }, { - "id": "control-0269", - "title": "Email distribution lists", + "id": "control-1597", + "title": "Protecting credentials", "parts": [ { - "id": "control-0269-stmt", + "id": "control-1597-stmt", "name": "statement", - "prose": "Emails containing AUSTEO, AGAO or REL data are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed." + "prose": "Credentials are obscured as they are entered into systems." } ] - } - ] - }, - { - "id": "email_gateways_and_servers", - "title": "Email gateways and servers", - "controls": [ + }, { - "id": "control-0569", - "title": "Centralised email gateways", + "id": "control-1402", + "title": "Protecting credentials", "parts": [ { - "id": "control-0569-stmt", + "id": "control-1402-stmt", "name": "statement", - "prose": "Email is routed through a centralised email gateway." + "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." } ] }, { - "id": "control-0571", - "title": "Centralised email gateways", + "id": "control-1686", + "title": "Protecting credentials", "parts": [ { - "id": "control-0571-stmt", + "id": "control-1686-stmt", "name": "statement", - "prose": "When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway." + "prose": "Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled." } ] }, { - "id": "control-0570", - "title": "Email gateway maintenance activities", + "id": "control-1590", + "title": "Protecting credentials", "parts": [ { - "id": "control-0570-stmt", + "id": "control-1590-stmt", "name": "statement", - "prose": "Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway." + "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." } ] }, { - "id": "control-0567", - "title": "Open relay email servers", + "id": "control-0853", + "title": "Session termination", "parts": [ { - "id": "control-0567-stmt", + "id": "control-0853-stmt", "name": "statement", - "prose": "Email servers only relay emails destined for or originating from their domains." + "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." } ] }, { - "id": "control-0572", - "title": "Email server transport encryption", + "id": "control-0428", + "title": "Session and screen locking", "parts": [ { - "id": "control-0572-stmt", + "id": "control-0428-stmt", "name": "statement", - "prose": "Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure." + "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity, or if manually activated by the user\n• conceals all session content on the screen\n• ensures that the screen does not enter a power saving state before the session or screen lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." } ] }, { - "id": "control-1589", - "title": "Email server transport encryption", + "id": "control-0408", + "title": "Logon banner", "parts": [ { - "id": "control-1589-stmt", + "id": "control-0408-stmt", "name": "statement", - "prose": "MTA-STS is enabled to prevent the transfer of unencrypted emails between complying servers." + "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." } ] }, { - "id": "control-0574", - "title": "Sender Policy Framework", + "id": "control-0979", + "title": "Logon banner", "parts": [ { - "id": "control-0574-stmt", + "id": "control-0979-stmt", "name": "statement", - "prose": "SPF is used to specify authorised email services (or lack thereof) for all domains." + "prose": "Legal advice is sought on the exact wording of logon banners." } ] - }, + } + ] + }, + { + "id": "virtualisation_hardening", + "title": "Virtualisation hardening", + "controls": [ { - "id": "control-1183", - "title": "Sender Policy Framework", + "id": "control-1460", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1183-stmt", + "id": "control-1460-stmt", "name": "statement", - "prose": "A hard fail SPF record is used when specifying email servers." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." } ] }, { - "id": "control-1151", - "title": "Sender Policy Framework", + "id": "control-1604", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1151-stmt", + "id": "control-1604-stmt", "name": "statement", - "prose": "SPF is used to verify the authenticity of incoming emails." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." } ] }, { - "id": "control-1152", - "title": "Sender Policy Framework", + "id": "control-1605", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1152-stmt", + "id": "control-1605-stmt", "name": "statement", - "prose": "Incoming emails that fail SPF checks are blocked or marked in a manner that is visible to the recipients." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." } ] }, { - "id": "control-0861", - "title": "DomainKeys Identified Mail", + "id": "control-1606", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-0861-stmt", + "id": "control-1606-stmt", "name": "statement", - "prose": "DKIM signing is enabled on emails originating from an organisation’s domains." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1026", - "title": "DomainKeys Identified Mail", + "id": "control-1607", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1026-stmt", + "id": "control-1607-stmt", "name": "statement", - "prose": "DKIM signatures on received emails are verified." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." } ] }, { - "id": "control-1027", - "title": "DomainKeys Identified Mail", + "id": "control-1461", + "title": "Functional separation between computing environments", "parts": [ { - "id": "control-1027-stmt", + "id": "control-1461-stmt", "name": "statement", - "prose": "Email distribution list software used by external senders is configured such that it does not break the validity of the sender’s DKIM signature." + "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_software_development", + "title": "Guidelines for Software Development", + "groups": [ + { + "id": "application_development", + "title": "Application development", + "controls": [ { - "id": "control-1540", - "title": "Domain-based Message Authentication, Reporting and Conformance", + "id": "control-0400", + "title": "Development environments", "parts": [ { - "id": "control-1540-stmt", + "id": "control-0400-stmt", "name": "statement", - "prose": "DMARC records are configured for all domains such that emails are rejected if they fail SPF or DKIM checks." + "prose": "Development, testing and production environments are segregated." } ] }, { - "id": "control-1234", - "title": "Email content filtering", + "id": "control-1419", + "title": "Development environments", "parts": [ { - "id": "control-1234-stmt", + "id": "control-1419-stmt", "name": "statement", - "prose": "Email content filtering controls are implemented for email bodies and attachments." + "prose": "Development and modification of software only takes place in development environments." } ] }, { - "id": "control-1502", - "title": "Blocking suspicious emails", + "id": "control-1420", + "title": "Development environments", "parts": [ { - "id": "control-1502-stmt", + "id": "control-1420-stmt", "name": "statement", - "prose": "Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway." + "prose": "Data in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments." } ] }, { - "id": "control-1024", - "title": "Undeliverable messages", + "id": "control-1422", + "title": "Development environments", "parts": [ { - "id": "control-1024-stmt", + "id": "control-1422-stmt", "name": "statement", - "prose": "Notification of undeliverable, bounced or blocked emails are only sent to senders that can be verified via SPF or other trusted means." + "prose": "Unauthorised access to the authoritative source for software is prevented." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cryptography", - "title": "Guidelines for Cryptography", - "groups": [ - { - "id": "transport_layer_security", - "title": "Transport Layer Security", - "controls": [ + }, { - "id": "control-1139", - "title": "Using Transport Layer Security", + "id": "control-1238", + "title": "Secure software design", "parts": [ { - "id": "control-1139-stmt", + "id": "control-1238-stmt", "name": "statement", - "prose": "Only the latest version of TLS is used." + "prose": "Threat modelling and other secure design techniques are used to ensure that threats to software and mitigations to those threats are identified and accounted for." } ] }, - { - "id": "control-1369", - "title": "Using Transport Layer Security", + { + "id": "control-0401", + "title": "Secure programming practices", "parts": [ { - "id": "control-1369-stmt", + "id": "control-0401-stmt", "name": "statement", - "prose": "AES in Galois Counter Mode is used for symmetric encryption." + "prose": "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." } ] }, { - "id": "control-1370", - "title": "Using Transport Layer Security", + "id": "control-0402", + "title": "Software testing", "parts": [ { - "id": "control-1370-stmt", + "id": "control-0402-stmt", "name": "statement", - "prose": "Only server-initiated secure renegotiation is used." + "prose": "Software is tested for security vulnerabilities by software developers, as well as an independent party, before it is used in a production environment." } ] }, { - "id": "control-1372", - "title": "Using Transport Layer Security", + "id": "control-1616", + "title": "Vulnerability disclosure program", "parts": [ { - "id": "control-1372-stmt", + "id": "control-1616-stmt", "name": "statement", - "prose": "DH or ECDH is used for key establishment." + "prose": "A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services." } ] - }, + } + ] + }, + { + "id": "web_application_development", + "title": "Web application development", + "controls": [ { - "id": "control-1448", - "title": "Using Transport Layer Security", + "id": "control-1239", + "title": "Web application frameworks", "parts": [ { - "id": "control-1448-stmt", + "id": "control-1239-stmt", "name": "statement", - "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." + "prose": "Robust web application frameworks are used to aid in the development of secure web applications." } ] }, { - "id": "control-1373", - "title": "Using Transport Layer Security", + "id": "control-1552", + "title": "Web application interactions", "parts": [ { - "id": "control-1373-stmt", + "id": "control-1552-stmt", "name": "statement", - "prose": "Anonymous DH is not used." + "prose": "All web application content is offered exclusively using HTTPS." } ] }, { - "id": "control-1374", - "title": "Using Transport Layer Security", + "id": "control-1240", + "title": "Web application input handling", "parts": [ { - "id": "control-1374-stmt", + "id": "control-1240-stmt", "name": "statement", - "prose": "SHA-2-based certificates are used." + "prose": "Validation and/or sanitisation is performed on all input handled by a web application." } ] }, { - "id": "control-1375", - "title": "Using Transport Layer Security", + "id": "control-1241", + "title": "Web application output encoding", "parts": [ { - "id": "control-1375-stmt", + "id": "control-1241-stmt", "name": "statement", - "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." + "prose": "Output encoding is performed on all output produced by a web application." } ] }, { - "id": "control-1553", - "title": "Using Transport Layer Security", + "id": "control-1424", + "title": "Web browser-based security controls", "parts": [ { - "id": "control-1553-stmt", + "id": "control-1424-stmt", "name": "statement", - "prose": "TLS compression is disabled." + "prose": "Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers." } ] }, { - "id": "control-1453", - "title": "Perfect Forward Secrecy", + "id": "control-0971", + "title": "Open Web Application Security Project", "parts": [ { - "id": "control-1453-stmt", + "id": "control-0971-stmt", "name": "statement", - "prose": "PFS is used for TLS connections." + "prose": "The OWASP Application Security Verification Standard is followed when developing web applications." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_cyber_security_incidents", + "title": "Guidelines for Cyber Security Incidents", + "groups": [ { - "id": "asd_approved_cryptographic_algorithms", - "title": "ASD Approved Cryptographic Algorithms", + "id": "reporting_cyber_security_incidents", + "title": "Reporting cyber security incidents", "controls": [ { - "id": "control-0471", - "title": "Using ASD Approved Cryptographic Algorithms", + "id": "control-0123", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0471-stmt", + "id": "control-0123-stmt", "name": "statement", - "prose": "Only AACAs are used by cryptographic equipment and software." + "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0994", - "title": "Approved asymmetric/public key algorithms", + "id": "control-0141", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0994-stmt", + "id": "control-0141-stmt", "name": "statement", - "prose": "ECDH and ECDSA are used in preference to DH and DSA." + "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." } ] }, { - "id": "control-0472", - "title": "Using Diffie-Hellman", + "id": "control-1433", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-0472-stmt", + "id": "control-1433-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." + "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." } ] }, { - "id": "control-1629", - "title": "Using Diffie-Hellman", + "id": "control-1434", + "title": "Reporting cyber security incidents", "parts": [ { - "id": "control-1629-stmt", + "id": "control-1434-stmt", "name": "statement", - "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." + "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." } ] }, { - "id": "control-0473", - "title": "Using the Digital Signature Algorithm", + "id": "control-0140", + "title": "Reporting cyber security incidents to the ACSC", "parts": [ { - "id": "control-0473-stmt", + "id": "control-0140-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." + "prose": "Cyber security incidents are reported to the ACSC." } ] - }, + } + ] + }, + { + "id": "managing_cyber_security_incidents", + "title": "Managing cyber security incidents", + "controls": [ { - "id": "control-1630", - "title": "Using the Digital Signature Algorithm", + "id": "control-0125", + "title": "Cyber security incident register", "parts": [ { - "id": "control-1630-stmt", + "id": "control-0125-stmt", "name": "statement", - "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." + "prose": "A cyber security incident register is maintained that covers the following:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." } ] }, { - "id": "control-1446", - "title": "Using Elliptic Curve Cryptography", + "id": "control-0133", + "title": "Handling and containing data spills", "parts": [ { - "id": "control-1446-stmt", + "id": "control-0133-stmt", "name": "statement", - "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." + "prose": "When a data spill occurs, data owners are advised and access to the data is restricted." } ] }, { - "id": "control-0474", - "title": "Using Elliptic Curve Diffie-Hellman", + "id": "control-0917", + "title": "Handling and containing malicious code infections", "parts": [ { - "id": "control-0474-stmt", + "id": "control-0917-stmt", "name": "statement", - "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." + "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." } ] }, { - "id": "control-0475", - "title": "Using the Elliptic Curve Digital Signature Algorithm", + "id": "control-0137", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0475-stmt", + "id": "control-0137-stmt", "name": "statement", - "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." + "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further data or evidence." } ] }, { - "id": "control-0476", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1609", + "title": "Allowing targeted cyber intrusions to continue", "parts": [ { - "id": "control-0476-stmt", + "id": "control-1609-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." + "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further data or evidence." } ] }, { - "id": "control-0477", - "title": "Using Rivest-Shamir-Adleman", + "id": "control-1213", + "title": "Post-incident analysis", "parts": [ { - "id": "control-0477-stmt", + "id": "control-1213-stmt", "name": "statement", - "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." + "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." } ] }, { - "id": "control-0479", - "title": "Approved symmetric encryption algorithms", + "id": "control-0138", + "title": "Integrity of evidence", "parts": [ { - "id": "control-0479-stmt", + "id": "control-0138-stmt", "name": "statement", - "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." + "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + } + ] + } + ] + }, + { + "id": "detecting_cyber_security_incidents", + "title": "Detecting cyber security incidents", + "controls": [ + { + "id": "control-0576", + "title": "Intrusion detection and prevention policy", + "parts": [ + { + "id": "control-0576-stmt", + "name": "statement", + "prose": "An intrusion detection and prevention policy is developed and implemented." } ] }, { - "id": "control-0480", - "title": "Using the Triple Data Encryption Standard", + "id": "control-1625", + "title": "Trusted insider program", "parts": [ { - "id": "control-0480-stmt", + "id": "control-1625-stmt", "name": "statement", - "prose": "3DES is used with three distinct keys." + "prose": "A trusted insider program is developed and implemented." } ] }, { - "id": "control-1232", - "title": "Protecting highly classified data", + "id": "control-1626", + "title": "Trusted insider program", "parts": [ { - "id": "control-1232-stmt", + "id": "control-1626-stmt", "name": "statement", - "prose": "AACAs are used in an evaluated implementation." + "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." } ] }, { - "id": "control-1468", - "title": "Protecting highly classified data", + "id": "control-0120", + "title": "Access to sufficient data sources and tools", "parts": [ { - "id": "control-1468-stmt", + "id": "control-0120-stmt", "name": "statement", - "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_networking", + "title": "Guidelines for Networking", + "groups": [ { - "id": "cryptographic_system_management", - "title": "Cryptographic system management", + "id": "service_continuity_for_online_services", + "title": "Service continuity for online services", "controls": [ { - "id": "control-0501", - "title": "Commercial grade cryptographic equipment", + "id": "control-1437", + "title": "Cloud-based hosting of online services", "parts": [ { - "id": "control-0501-stmt", + "id": "control-1437-stmt", "name": "statement", - "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." + "prose": "A cloud service provider is used for hosting online services." } ] }, { - "id": "control-0142", - "title": "Commercial grade cryptographic equipment", + "id": "control-1578", + "title": "Location policies for online services", "parts": [ { - "id": "control-0142-stmt", + "id": "control-1578-stmt", "name": "statement", - "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." + "prose": "Organisations are notified by cloud service providers of any change to configured regions or availability zones." } ] }, { - "id": "control-1091", - "title": "Commercial grade cryptographic equipment", + "id": "control-1579", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-1091-stmt", + "id": "control-1579-stmt", "name": "statement", - "prose": "Keying material is changed when compromised or suspected of being compromised." + "prose": "Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes." } ] }, { - "id": "control-0499", - "title": "High Assurance Cryptographic Equipment", + "id": "control-1580", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0499-stmt", + "id": "control-1580-stmt", "name": "statement", - "prose": "All communications security and equipment-specific doctrine produced by the ACSC for the management and use of HACE is complied with." + "prose": "Where a high availability requirement exists, online services are architected to automatically transition between availability zones." } ] }, { - "id": "control-0505", - "title": "Storing cryptographic equipment", + "id": "control-1441", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0505-stmt", + "id": "control-1441-stmt", "name": "statement", - "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the data the cryptographic equipment processes." + "prose": "Where a requirement for high availability exists, a denial of service mitigation service is used." } ] }, { - "id": "control-0506", - "title": "Storing cryptographic equipment", + "id": "control-1581", + "title": "Availability planning and monitoring for online services", "parts": [ { - "id": "control-0506-stmt", + "id": "control-1581-stmt", "name": "statement", - "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." + "prose": "Organisations perform continuous real-time monitoring of the availability of online services." } ] - } - ] - }, - { - "id": "secure_shell", - "title": "Secure Shell", - "controls": [ + }, { - "id": "control-1506", - "title": "Configuring Secure Shell", + "id": "control-1438", + "title": "Using content delivery networks", "parts": [ { - "id": "control-1506-stmt", + "id": "control-1438-stmt", "name": "statement", - "prose": "The use of SSH version 1 is disabled." + "prose": "Where a high availability requirement exists for website hosting, CDNs that cache websites are used." } ] }, { - "id": "control-0484", - "title": "Configuring Secure Shell", + "id": "control-1439", + "title": "Using content delivery networks", "parts": [ { - "id": "control-0484-stmt", + "id": "control-1439-stmt", "name": "statement", - "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." + "prose": "If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network." } ] }, { - "id": "control-0485", - "title": "Authentication mechanisms", + "id": "control-1431", + "title": "Denial of service strategies", "parts": [ { - "id": "control-0485-stmt", + "id": "control-1431-stmt", "name": "statement", - "prose": "Public key-based authentication is used for SSH connections." + "prose": "Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:\n• their capacity to withstand denial-of-service attacks\n• any costs likely to be incurred as a result of denial-of-service attacks\n• thresholds for notification of denial-of-service attacks\n• thresholds for turning off online services during denial-of-service attacks\n• pre-approved actions that can be undertaken during denial-of-service attacks\n• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible." } ] }, { - "id": "control-1449", - "title": "Authentication mechanisms", + "id": "control-1458", + "title": "Denial of service strategies", "parts": [ { - "id": "control-1449-stmt", + "id": "control-1458-stmt", "name": "statement", - "prose": "SSH private keys are protected with a passphrase or a key encryption key." + "prose": "The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented." } ] }, { - "id": "control-0487", - "title": "Automated remote access", + "id": "control-1432", + "title": "Domain name registrar locking", "parts": [ { - "id": "control-0487-stmt", + "id": "control-1432-stmt", "name": "statement", - "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." + "prose": "Domain names for online services are protected via registrar locking and confirming domain registration details are correct." } ] }, { - "id": "control-0488", - "title": "Automated remote access", + "id": "control-1435", + "title": "Monitoring with real-time alerting for online services", "parts": [ { - "id": "control-0488-stmt", + "id": "control-1435-stmt", "name": "statement", - "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." + "prose": "Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact." } ] }, { - "id": "control-0489", - "title": "SSH-agent", + "id": "control-1436", + "title": "Segregation of critical online services", "parts": [ { - "id": "control-0489-stmt", + "id": "control-1436-stmt", "name": "statement", - "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." + "prose": "Critical online services are segregated from other online services that are more likely to be targeted." } ] - } - ] - }, - { - "id": "asd_approved_cryptographic_protocols", - "title": "ASD Approved Cryptographic Protocols", - "controls": [ + }, { - "id": "control-0481", - "title": "Using ASD Approved Cryptographic Protocols", + "id": "control-1518", + "title": "Preparing for service continuity", "parts": [ { - "id": "control-0481-stmt", + "id": "control-1518-stmt", "name": "statement", - "prose": "Only AACPs are used by cryptographic equipment and software." + "prose": "A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack." } ] } ] }, { - "id": "secure-multipurpose_internet_mail_extension", - "title": "Secure/Multipurpose Internet Mail Extension", + "id": "wireless_networks", + "title": "Wireless networks", "controls": [ { - "id": "control-0490", - "title": "Using Secure/Multipurpose Internet Mail Extension", + "id": "control-1314", + "title": "Choosing wireless devices", "parts": [ { - "id": "control-0490-stmt", + "id": "control-1314-stmt", "name": "statement", - "prose": "Versions of S/MIME earlier than 3.0 are not used." + "prose": "All wireless devices are Wi-Fi Alliance certified." } ] - } - ] - }, - { - "id": "cryptographic_fundamentals", - "title": "Cryptographic fundamentals", - "controls": [ + }, { - "id": "control-1161", - "title": "Reducing handling requirements", + "id": "control-0536", + "title": "Wireless networks for public access", "parts": [ { - "id": "control-1161-stmt", + "id": "control-0536-stmt", "name": "statement", - "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the handling requirements for ICT equipment or media that contains sensitive data." + "prose": "Wireless networks provided for the general public to access are segregated from all other networks." } ] }, { - "id": "control-0457", - "title": "Reducing handling requirements", + "id": "control-1315", + "title": "Administrative interfaces for wireless access points", "parts": [ { - "id": "control-0457-stmt", + "id": "control-1315-stmt", "name": "statement", - "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the handling requirements for ICT equipment or media that contains classified data." + "prose": "The administrative interface on wireless access points is disabled for wireless network connections." } ] }, { - "id": "control-0460", - "title": "Reducing handling requirements", + "id": "control-1316", + "title": "Default settings", "parts": [ { - "id": "control-0460-stmt", + "id": "control-1316-stmt", "name": "statement", - "prose": "HACE is used if an organisation wishes to reduce the handling requirements for ICT equipment or media that contains highly classified data." + "prose": "The default SSID of wireless access points is changed." } ] }, { - "id": "control-0459", - "title": "Encrypting data at rest", + "id": "control-1317", + "title": "Default settings", "parts": [ { - "id": "control-0459-stmt", + "id": "control-1317-stmt", "name": "statement", - "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "The SSID of a non-public wireless network is not readily associated with an organisation, the location of their premises or the functionality of the wireless network." } ] }, { - "id": "control-0461", - "title": "Encrypting data at rest", + "id": "control-1318", + "title": "Default settings", "parts": [ { - "id": "control-0461-stmt", + "id": "control-1318-stmt", "name": "statement", - "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." + "prose": "SSID broadcasting is enabled on wireless networks." } ] }, { - "id": "control-1080", - "title": "Encrypting particularly important data at rest", + "id": "control-1709", + "title": "Default settings", "parts": [ { - "id": "control-1080-stmt", + "id": "control-1709-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO data when at rest on a system." + "prose": "Default accounts and passphrases of wireless devices are changed." } ] }, { - "id": "control-0455", - "title": "Data recovery", + "id": "control-1710", + "title": "Default settings", "parts": [ { - "id": "control-0455-stmt", + "id": "control-1710-stmt", "name": "statement", - "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." + "prose": "Configuration settings for wireless devices are hardened." } ] }, { - "id": "control-0462", - "title": "Handling encrypted ICT equipment and media", + "id": "control-1319", + "title": "Static addressing", "parts": [ { - "id": "control-0462-stmt", + "id": "control-1319-stmt", "name": "statement", - "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted data, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." + "prose": "Static addressing is not used for assigning IP addresses on wireless networks." } ] }, { - "id": "control-1162", - "title": "Encrypting data in transit", + "id": "control-1320", + "title": "Media Access Control address filtering", "parts": [ { - "id": "control-1162-stmt", + "id": "control-1320-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive data over public network infrastructure and through unsecured spaces." + "prose": "MAC address filtering is not used to restrict which devices can connect to wireless networks." } ] }, { - "id": "control-0465", - "title": "Encrypting data in transit", + "id": "control-1332", + "title": "Confidentiality and integrity of wireless network traffic", "parts": [ { - "id": "control-0465-stmt", + "id": "control-1332-stmt", "name": "statement", - "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified data over official networks, public network infrastructure and through unsecured spaces." + "prose": "WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic." } ] }, { - "id": "control-0467", - "title": "Encrypting data in transit", + "id": "control-1321", + "title": "802.1X authentication", "parts": [ { - "id": "control-0467-stmt", + "id": "control-1321-stmt", "name": "statement", - "prose": "HACE is used to communicate highly classified data over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." + "prose": "802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers." } ] }, { - "id": "control-0469", - "title": "Encrypting particularly important data in transit", + "id": "control-1711", + "title": "802.1X authentication", "parts": [ { - "id": "control-0469-stmt", + "id": "control-1711-stmt", "name": "statement", - "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO data when communicated across network infrastructure." + "prose": "User identity confidentiality is used if available with EAP-TLS implementations." } ] - } - ] - }, - { - "id": "internet_protocol_security", - "title": "Internet Protocol Security", - "controls": [ + }, { - "id": "control-0494", - "title": "Mode of operation", + "id": "control-1322", + "title": "Evaluation of 802.1X authentication implementation", "parts": [ { - "id": "control-0494-stmt", + "id": "control-1322-stmt", "name": "statement", - "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." + "prose": "Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks." } ] }, { - "id": "control-0496", - "title": "Protocol selection", + "id": "control-1324", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0496-stmt", + "id": "control-1324-stmt", "name": "statement", - "prose": "The ESP protocol is used for IPsec connections." + "prose": "Certificates are generated using an evaluated certificate authority solution or hardware security module." } ] }, { - "id": "control-1233", - "title": "Key exchange", + "id": "control-1323", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-1233-stmt", + "id": "control-1323-stmt", "name": "statement", - "prose": "IKE is used for key exchange when establishing an IPsec connection." + "prose": "Certificates are required for both devices and users accessing wireless networks." } ] }, { - "id": "control-0497", - "title": "Internet Security Association Key Management Protocol modes", + "id": "control-1327", + "title": "Generating and issuing certificates for authentication", "parts": [ { - "id": "control-0497-stmt", + "id": "control-1327-stmt", "name": "statement", - "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." + "prose": "Certificates are protected by encryption, user authentication, and both logical and physical access controls." } ] }, { - "id": "control-0498", - "title": "Security association lifetimes", + "id": "control-1330", + "title": "Caching 802.1X authentication outcomes", "parts": [ { - "id": "control-0498-stmt", + "id": "control-1330-stmt", "name": "statement", - "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." + "prose": "The PMK caching period is not set to greater than 1440 minutes (24 hours)." } ] }, { - "id": "control-0998", - "title": "Hashed Message Authentication Code algorithms", + "id": "control-1712", + "title": "Fast Basic Service Set Transition", "parts": [ { - "id": "control-0998-stmt", + "id": "control-1712-stmt", "name": "statement", - "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." + "prose": "The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an AACP." } ] }, { - "id": "control-0999", - "title": "Diffie-Hellman groups", + "id": "control-1454", + "title": "Remote Authentication Dial-In User Service authentication", "parts": [ { - "id": "control-0999-stmt", + "id": "control-1454-stmt", "name": "statement", - "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." + "prose": "Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over IPsec or RADIUS over TLS." } ] }, { - "id": "control-1000", - "title": "Perfect Forward Secrecy", + "id": "control-1334", + "title": "Interference between wireless networks", "parts": [ { - "id": "control-1000-stmt", + "id": "control-1334-stmt", "name": "statement", - "prose": "PFS is used for IPsec connections." + "prose": "Wireless networks implement sufficient frequency separation from other wireless networks." } ] }, { - "id": "control-1001", - "title": "Internet Key Exchange Extended Authentication", + "id": "control-1335", + "title": "Protecting management frames on wireless networks", "parts": [ { - "id": "control-1001-stmt", + "id": "control-1335-stmt", "name": "statement", - "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." + "prose": "Wireless access points enable the use of the 802.11w amendment to protect management frames." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_security_documentation", - "title": "Guidelines for Security Documentation", - "groups": [ - { - "id": "system-specific_security_documentation", - "title": "System-specific security documentation", - "controls": [ + }, { - "id": "control-0041", - "title": "System security plan", + "id": "control-1338", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0041-stmt", + "id": "control-1338-stmt", "name": "statement", - "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." + "prose": "Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint." } ] }, { - "id": "control-0043", - "title": "Incident response plan", + "id": "control-1013", + "title": "Wireless network footprint", "parts": [ { - "id": "control-0043-stmt", + "id": "control-1013-stmt", "name": "statement", - "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." + "prose": "The effective range of wireless communications outside an organisation’s area of control is limited by implementing RF shielding on buildings in which wireless networks are used." } ] - }, + } + ] + }, + { + "id": "network_design_and_configuration", + "title": "Network design and configuration", + "controls": [ { - "id": "control-1163", - "title": "Continuous monitoring plan", + "id": "control-0516", + "title": "Network documentation", "parts": [ { - "id": "control-1163-stmt", + "id": "control-0516-stmt", "name": "statement", - "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." + "prose": "Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices." } ] }, { - "id": "control-1563", - "title": "Security assessment report", + "id": "control-0518", + "title": "Network documentation", "parts": [ { - "id": "control-1563-stmt", + "id": "control-0518-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." + "prose": "Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1564", - "title": "Plan of action and milestones", + "id": "control-1178", + "title": "Network documentation", "parts": [ { - "id": "control-1564-stmt", + "id": "control-1178-stmt", "name": "statement", - "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." + "prose": "Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services." } ] - } - ] - }, - { - "id": "development_and_maintenance_of_security_documentation", - "title": "Development and maintenance of security documentation", - "controls": [ + }, { - "id": "control-0039", - "title": "Cyber security strategy", + "id": "control-1181", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0039-stmt", + "id": "control-1181-stmt", "name": "statement", - "prose": "A cyber security strategy is developed and implemented for the organisation." + "prose": "Networks are divided into multiple functional network zones according to the sensitivity or criticality of data or services." } ] }, { - "id": "control-0047", - "title": "Approval of security documentation", + "id": "control-1577", + "title": "Network segmentation and segregation", "parts": [ { - "id": "control-0047-stmt", + "id": "control-1577-stmt", "name": "statement", - "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." + "prose": "Organisation networks are segregated from service provider networks." } ] }, { - "id": "control-0888", - "title": "Maintenance of security documentation", + "id": "control-1532", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0888-stmt", + "id": "control-1532-stmt", "name": "statement", - "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." + "prose": "VLANs are not used to separate network traffic between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1602", - "title": "Communication of security documentation", + "id": "control-0529", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1602-stmt", + "id": "control-0529-stmt", "name": "statement", - "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." + "prose": "VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_personnel_security", - "title": "Guidelines for Personnel Security", - "groups": [ - { - "id": "cyber_security_awareness_training", - "title": "Cyber security awareness training", - "controls": [ + }, { - "id": "control-0252", - "title": "Providing cyber security awareness training", + "id": "control-1364", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0252-stmt", + "id": "control-1364-stmt", "name": "statement", - "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." + "prose": "VLANs belonging to different security domains are terminated on separate physical network interfaces." } ] }, { - "id": "control-1565", - "title": "Providing cyber security awareness training", + "id": "control-0535", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-1565-stmt", + "id": "control-0535-stmt", "name": "statement", - "prose": "Tailored privileged user training is undertaken annually by all privileged users." + "prose": "VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks." } ] }, { - "id": "control-0817", - "title": "Reporting suspicious contact via online services", + "id": "control-0530", + "title": "Using Virtual Local Area Networks", "parts": [ { - "id": "control-0817-stmt", + "id": "control-0530-stmt", "name": "statement", - "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." + "prose": "Network devices implementing VLANs are managed from the most trusted network." } ] }, { - "id": "control-0820", - "title": "Posting work information to online services", + "id": "control-0521", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0820-stmt", + "id": "control-0521-stmt", "name": "statement", - "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." + "prose": "IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used." } ] }, { - "id": "control-1146", - "title": "Posting work information to online services", + "id": "control-1186", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-1146-stmt", + "id": "control-1186-stmt", "name": "statement", - "prose": "Personnel are advised to maintain separate work and personal accounts for online services." + "prose": "IPv6 capable network security devices are used on IPv6 and dual-stack networks." } ] }, { - "id": "control-0821", - "title": "Posting personal information to online services", + "id": "control-1428", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0821-stmt", + "id": "control-1428-stmt", "name": "statement", - "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." + "prose": "Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment." } ] }, { - "id": "control-0824", - "title": "Sending and receiving files via online services", + "id": "control-1429", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0824-stmt", + "id": "control-1429-stmt", "name": "statement", - "prose": "Personnel are advised not to send or receive files via unauthorised online services." + "prose": "IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries." } ] - } - ] - }, - { - "id": "access_to_systems_and_their_resources", - "title": "Access to systems and their resources", - "controls": [ + }, { - "id": "control-0432", - "title": "System access requirements", + "id": "control-1430", + "title": "Using Internet Protocol version 6", "parts": [ { - "id": "control-0432-stmt", + "id": "control-1430-stmt", "name": "statement", - "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." + "prose": "Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised logging facility." } ] }, { - "id": "control-0434", - "title": "System access requirements", + "id": "control-0520", + "title": "Network access controls", "parts": [ { - "id": "control-0434-stmt", + "id": "control-0520-stmt", "name": "statement", - "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." + "prose": "Network access controls are implemented on networks to prevent the connection of unauthorised network devices." } ] }, { - "id": "control-0435", - "title": "System access requirements", + "id": "control-1182", + "title": "Network access controls", "parts": [ { - "id": "control-0435-stmt", + "id": "control-1182-stmt", "name": "statement", - "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." + "prose": "Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes." } ] }, { - "id": "control-0414", - "title": "User identification", + "id": "control-1301", + "title": "Network device register", "parts": [ { - "id": "control-0414-stmt", + "id": "control-1301-stmt", "name": "statement", - "prose": "Personnel granted access to a system and its resources are uniquely identifiable." + "prose": "A network device register is maintained and regularly audited." } ] }, { - "id": "control-0415", - "title": "User identification", + "id": "control-1304", + "title": "Default accounts for network devices", "parts": [ { - "id": "control-0415-stmt", + "id": "control-1304-stmt", "name": "statement", - "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." + "prose": "Default accounts for network devices are disabled, renamed or have their passphrase changed." } ] }, { - "id": "control-1583", - "title": "User identification", + "id": "control-0534", + "title": "Disabling unused physical ports on network devices", "parts": [ { - "id": "control-1583-stmt", + "id": "control-0534-stmt", "name": "statement", - "prose": "Personnel who are contractors are identified as such." + "prose": "Unused physical ports on network devices are disabled." } ] }, { - "id": "control-0420", - "title": "User identification", + "id": "control-0385", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0420-stmt", + "id": "control-0385-stmt", "name": "statement", - "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality." + "prose": "Servers maintain effective functional separation with other servers allowing them to operate independently." } ] }, { - "id": "control-0405", - "title": "Unprivileged access to systems", + "id": "control-1479", + "title": "Functional separation between servers", "parts": [ { - "id": "control-0405-stmt", + "id": "control-1479-stmt", "name": "statement", - "prose": "Unprivileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." + "prose": "Servers minimise communications with other servers at both the network and file system level." } ] }, { - "id": "control-1503", - "title": "Unprivileged access to systems", + "id": "control-1006", + "title": "Management traffic", "parts": [ { - "id": "control-1503-stmt", + "id": "control-1006-stmt", "name": "statement", - "prose": "Unprivileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." + "prose": "Security measures are implemented to prevent unauthorised access to network management traffic." } ] }, { - "id": "control-1566", - "title": "Unprivileged access to systems", + "id": "control-1311", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-1566-stmt", + "id": "control-1311-stmt", "name": "statement", - "prose": "The use of unprivileged accounts, and any activities undertaken with them, are monitored and audited." + "prose": "SNMP version 1 and 2 are not used on networks." } ] }, { - "id": "control-0409", - "title": "Unprivileged access to systems by foreign nationals", + "id": "control-1312", + "title": "Use of Simple Network Management Protocol", "parts": [ { - "id": "control-0409-stmt", + "id": "control-1312-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective security controls are in place to ensure such data is not accessible to them." + "prose": "All default SNMP community strings on network devices are changed and have write access disabled." } ] }, { - "id": "control-0411", - "title": "Unprivileged access to systems by foreign nationals", + "id": "control-1028", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-0411-stmt", + "id": "control-1028-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective security controls are in place to ensure such data is not accessible to them." + "prose": "NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage." } ] }, { - "id": "control-1507", - "title": "Privileged access to systems", + "id": "control-1030", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1507-stmt", + "id": "control-1030-stmt", "name": "statement", - "prose": "Requests for privileged access to systems and applications are validated when first requested." + "prose": "NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any data flows that contravene any rule in firewall rule sets." } ] }, { - "id": "control-1647", - "title": "Privileged access to systems", + "id": "control-1185", + "title": "Using Network-based Intrusion Detection and Prevention Systems", "parts": [ { - "id": "control-1647-stmt", + "id": "control-1185-stmt", "name": "statement", - "prose": "Privileged access to systems and applications is automatically disabled after 12 months unless revalidated." + "prose": "When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures." } ] }, { - "id": "control-1648", - "title": "Privileged access to systems", + "id": "control-1627", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1648-stmt", + "id": "control-1627-stmt", "name": "statement", - "prose": "Privileged access to systems and applications is automatically disabled after 45 days of inactivity." + "prose": "Inbound network connections from anonymity networks to internet-facing services are blocked." } ] }, { - "id": "control-1508", - "title": "Privileged access to systems", + "id": "control-1628", + "title": "Blocking anonymity network traffic", "parts": [ { - "id": "control-1508-stmt", + "id": "control-1628-stmt", "name": "statement", - "prose": "Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties." + "prose": "Outbound network connections to anonymity networks are blocked." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cyber_security_roles", + "title": "Guidelines for Cyber Security Roles", + "groups": [ + { + "id": "system_owners", + "title": "System owners", + "controls": [ { - "id": "control-1649", - "title": "Privileged access to systems", + "id": "control-1071", + "title": "System ownership and oversight", "parts": [ { - "id": "control-1649-stmt", + "id": "control-1071-stmt", "name": "statement", - "prose": "Just-in-time administration is used for administering systems and applications." + "prose": "Each system has a designated system owner." } ] }, { - "id": "control-0445", - "title": "Privileged access to systems", + "id": "control-1525", + "title": "System ownership and oversight", "parts": [ { - "id": "control-0445-stmt", + "id": "control-1525-stmt", "name": "statement", - "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." + "prose": "System owners register each system with its authorising officer." } ] }, { - "id": "control-1509", - "title": "Privileged access to systems", + "id": "control-1633", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1509-stmt", + "id": "control-1633-stmt", "name": "statement", - "prose": "Use of privileged access is logged." + "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." } ] }, { - "id": "control-1650", - "title": "Privileged access to systems", + "id": "control-1634", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1650-stmt", + "id": "control-1634-stmt", "name": "statement", - "prose": "Changes to privileged accounts and groups are logged." + "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." } ] }, { - "id": "control-1651", - "title": "Privileged access to systems", + "id": "control-1635", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1651-stmt", + "id": "control-1635-stmt", "name": "statement", - "prose": "Privileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + "prose": "System owners implement identified security controls within each system and its operating environment." } ] }, { - "id": "control-1652", - "title": "Privileged access to systems", + "id": "control-1636", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1652-stmt", + "id": "control-1636-stmt", "name": "statement", - "prose": "Privileged account and group change event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." } ] }, { - "id": "control-1175", - "title": "Privileged access to systems", + "id": "control-0027", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1175-stmt", + "id": "control-0027-stmt", "name": "statement", - "prose": "Privileged user accounts are prevented from accessing the internet, email and web services." + "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." } ] }, { - "id": "control-1653", - "title": "Privileged access to systems", + "id": "control-1526", + "title": "Protecting systems and their resources", "parts": [ { - "id": "control-1653-stmt", + "id": "control-1526-stmt", "name": "statement", - "prose": "Privileged service accounts are prevented from accessing the internet, email and web services." + "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." } ] }, { - "id": "control-0446", - "title": "Privileged access to systems by foreign nationals", + "id": "control-1587", + "title": "Annual reporting of system security status", "parts": [ { - "id": "control-0446-stmt", + "id": "control-1587-stmt", "name": "statement", - "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data." + "prose": "System owners report the security status of each system to its authorising officer at least annually." } ] - }, + } + ] + }, + { + "id": "chief_information_security_officer", + "title": "Chief Information Security Officer", + "controls": [ { - "id": "control-0447", - "title": "Privileged access to systems by foreign nationals", + "id": "control-0714", + "title": "Providing cyber security leadership and guidance", "parts": [ { - "id": "control-0447-stmt", + "id": "control-0714-stmt", "name": "statement", - "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data." + "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." } ] }, { - "id": "control-0430", - "title": "Suspension of access to systems", + "id": "control-1478", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-0430-stmt", + "id": "control-1478-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." + "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." } ] }, { - "id": "control-1591", - "title": "Suspension of access to systems", + "id": "control-1617", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1591-stmt", + "id": "control-1617-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." + "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." } ] }, { - "id": "control-1404", - "title": "Suspension of access to systems", + "id": "control-0724", + "title": "Overseeing the cyber security program", "parts": [ { - "id": "control-1404-stmt", + "id": "control-0724-stmt", "name": "statement", - "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." + "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." } ] }, { - "id": "control-0407", - "title": "Recording authorisation for personnel to access systems", + "id": "control-0725", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0407-stmt", + "id": "control-0725-stmt", "name": "statement", - "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." + "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." } ] }, { - "id": "control-0441", - "title": "Temporary access to systems", + "id": "control-0726", + "title": "Coordinating cyber security", "parts": [ { - "id": "control-0441-stmt", + "id": "control-0726-stmt", "name": "statement", - "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only data required for them to undertake their duties." + "prose": "The CISO coordinates security risk management activities between cyber security and business teams." } ] }, { - "id": "control-0443", - "title": "Temporary access to systems", + "id": "control-0718", + "title": "Reporting on cyber security", "parts": [ { - "id": "control-0443-stmt", + "id": "control-0718-stmt", "name": "statement", - "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." + "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." } ] }, { - "id": "control-1610", - "title": "Emergency access to systems", + "id": "control-0733", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1610-stmt", + "id": "control-0733-stmt", "name": "statement", - "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." + "prose": "The CISO is fully aware of all cyber security incidents within their organisation." } ] }, { - "id": "control-1611", - "title": "Emergency access to systems", + "id": "control-1618", + "title": "Overseeing incident response activities", "parts": [ { - "id": "control-1611-stmt", + "id": "control-1618-stmt", "name": "statement", - "prose": "Break glass accounts are only used when normal authentication processes cannot be used." + "prose": "The CISO oversees their organisation’s response to cyber security incidents." } ] }, { - "id": "control-1612", - "title": "Emergency access to systems", + "id": "control-0734", + "title": "Contributing to business continuity and disaster recovery planning", "parts": [ { - "id": "control-1612-stmt", + "id": "control-0734-stmt", "name": "statement", - "prose": "Break glass accounts are only used for specific authorised activities." + "prose": "The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." } ] }, { - "id": "control-1613", - "title": "Emergency access to systems", + "id": "control-0720", + "title": "Developing a cyber security communications strategy", "parts": [ { - "id": "control-1613-stmt", + "id": "control-0720-stmt", "name": "statement", - "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." + "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." } ] }, { - "id": "control-1614", - "title": "Emergency access to systems", + "id": "control-0731", + "title": "Working with suppliers and service providers", "parts": [ { - "id": "control-1614-stmt", + "id": "control-0731-stmt", "name": "statement", - "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." + "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." } ] }, { - "id": "control-1615", - "title": "Emergency access to systems", + "id": "control-0732", + "title": "Receiving and managing a dedicated cyber security budget", "parts": [ { - "id": "control-1615-stmt", + "id": "control-0732-stmt", "name": "statement", - "prose": "Break glass accounts are tested after credentials are changed." + "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." } ] }, { - "id": "control-0078", - "title": "Control of Australian systems", + "id": "control-0717", + "title": "Overseeing cyber security personnel", "parts": [ { - "id": "control-0078-stmt", + "id": "control-0717-stmt", "name": "statement", - "prose": "Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government." + "prose": "The CISO oversees the management of cyber security personnel within their organisation." } ] }, { - "id": "control-0854", - "title": "Control of Australian systems", + "id": "control-0735", + "title": "Overseeing cyber security awareness raising", "parts": [ { - "id": "control-0854-stmt", + "id": "control-0735-stmt", "name": "statement", - "prose": "Access to AUSTEO or AGAO data from systems not under the sole control of the Australian Government is prevented." + "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." } ] } @@ -4886,2795 +4814,2862 @@ ] }, { - "id": "guidelines_for_system_hardening", - "title": "Guidelines for System Hardening", + "id": "guidelines_for_data_transfers", + "title": "Guidelines for Data Transfers", "groups": [ { - "id": "authentication_hardening", - "title": "Authentication hardening", + "id": "data_transfers", + "title": "Data transfers", "controls": [ { - "id": "control-1546", - "title": "Authenticating to systems", - "parts": [ - { - "id": "control-1546-stmt", - "name": "statement", - "prose": "Users are authenticated before they are granted access to a system and its resources." - } - ] - }, - { - "id": "control-0974", - "title": "Multi-factor authentication", - "parts": [ - { - "id": "control-0974-stmt", - "name": "statement", - "prose": "Multi-factor authentication is used to authenticate unprivileged users of systems." - } - ] - }, - { - "id": "control-1173", - "title": "Multi-factor authentication", + "id": "control-0663", + "title": "Data transfer process and procedures", "parts": [ { - "id": "control-1173-stmt", + "id": "control-0663-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate privileged users of systems." + "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." } ] }, { - "id": "control-1504", - "title": "Multi-factor authentication", + "id": "control-0661", + "title": "User responsibilities", "parts": [ { - "id": "control-1504-stmt", + "id": "control-0661-stmt", "name": "statement", - "prose": "Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services." + "prose": "Users transferring data to and from a system are held accountable for the data they transfer." } ] }, { - "id": "control-1679", - "title": "Multi-factor authentication", + "id": "control-0665", + "title": "Trusted sources", "parts": [ { - "id": "control-1679-stmt", + "id": "control-0665-stmt", "name": "statement", - "prose": "Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data." + "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." } ] }, { - "id": "control-1680", - "title": "Multi-factor authentication", + "id": "control-0664", + "title": "Data transfer approval", "parts": [ { - "id": "control-1680-stmt", + "id": "control-0664-stmt", "name": "statement", - "prose": "Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data." + "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." } ] }, { - "id": "control-1681", - "title": "Multi-factor authentication", + "id": "control-0675", + "title": "Data transfer approval", "parts": [ { - "id": "control-1681-stmt", + "id": "control-0675-stmt", "name": "statement", - "prose": "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services." + "prose": "A trusted source signs all data authorised for export from a system." } ] }, { - "id": "control-1505", - "title": "Multi-factor authentication", + "id": "control-0657", + "title": "Import of data", "parts": [ { - "id": "control-1505-stmt", + "id": "control-0657-stmt", "name": "statement", - "prose": "Multi-factor authentication is used to authenticate users accessing important data repositories." + "prose": "Data imported to a system is scanned for malicious and active content." } ] }, { - "id": "control-1401", - "title": "Multi-factor authentication", + "id": "control-0658", + "title": "Import of data", "parts": [ { - "id": "control-1401-stmt", + "id": "control-0658-stmt", "name": "statement", - "prose": "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." + "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." } ] }, { - "id": "control-1682", - "title": "Multi-factor authentication", + "id": "control-1187", + "title": "Export of data", "parts": [ { - "id": "control-1682-stmt", + "id": "control-1187-stmt", "name": "statement", - "prose": "Multi-factor authentication is verifier impersonation resistant." + "prose": "When exporting data, protective marking checks are undertaken." } ] }, { - "id": "control-1559", - "title": "Multi-factor authentication", + "id": "control-0669", + "title": "Export of data", "parts": [ { - "id": "control-1559-stmt", + "id": "control-0669-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 6 characters." + "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." } ] }, { - "id": "control-1560", - "title": "Multi-factor authentication", + "id": "control-1535", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1560-stmt", + "id": "control-1535-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 8 characters." + "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." } ] }, { - "id": "control-1561", - "title": "Multi-factor authentication", + "id": "control-0678", + "title": "Preventing export of particularly important data to foreign systems", "parts": [ { - "id": "control-1561-stmt", + "id": "control-0678-stmt", "name": "statement", - "prose": "Passwords used for multi-factor authentication are a minimum of 10 characters." + "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." } ] }, { - "id": "control-1357", - "title": "Multi-factor authentication", + "id": "control-1586", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1357-stmt", + "id": "control-1586-stmt", "name": "statement", - "prose": "When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system." + "prose": "Data transfer logs are used to record all data imports and exports from systems." } ] }, { - "id": "control-1683", - "title": "Multi-factor authentication", + "id": "control-1294", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1683-stmt", + "id": "control-1294-stmt", "name": "statement", - "prose": "Successful and unsuccessful multi-factor authentications are logged." + "prose": "Data transfer logs are partially audited at least monthly." } ] }, { - "id": "control-1684", - "title": "Multi-factor authentication", + "id": "control-0660", + "title": "Monitoring data import and export", "parts": [ { - "id": "control-1684-stmt", + "id": "control-0660-stmt", "name": "statement", - "prose": "Multi-factor authentication event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + "prose": "Data transfer logs are fully audited at least monthly." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_ict_equipment", + "title": "Guidelines for ICT Equipment", + "groups": [ + { + "id": "ict_equipment_sanitisation_and_disposal", + "title": "ICT equipment sanitisation and disposal", + "controls": [ { - "id": "control-0417", - "title": "Single-factor authentication", + "id": "control-0313", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0417-stmt", + "id": "control-0313-stmt", "name": "statement", - "prose": "When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead." + "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-0421", - "title": "Single-factor authentication", + "id": "control-1550", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0421-stmt", + "id": "control-1550-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are 4 random words with a minimum length of 14 characters." + "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." } ] }, { - "id": "control-1557", - "title": "Single-factor authentication", + "id": "control-0311", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1557-stmt", + "id": "control-0311-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are 5 random words with a minimum length of 17 characters." + "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." } ] }, { - "id": "control-0422", - "title": "Single-factor authentication", + "id": "control-1217", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-0422-stmt", + "id": "control-1217-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication are 6 random words with a minimum length of 20 characters." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." } ] }, { - "id": "control-1558", - "title": "Single-factor authentication", + "id": "control-0316", + "title": "ICT equipment sanitisation and disposal processes and procedures", "parts": [ { - "id": "control-1558-stmt", + "id": "control-0316-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication:\n• are not constructed from song lyrics, movies, literature or any other publicly available material\n• do not form a real sentence in a natural language\n• are not a list of categorised words." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1596", - "title": "Single-factor authentication", + "id": "control-0315", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1596-stmt", + "id": "control-0315-stmt", "name": "statement", - "prose": "Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems." + "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." } ] }, { - "id": "control-1227", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0321", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1227-stmt", + "id": "control-0321-stmt", "name": "statement", - "prose": "Passwords/passphrases set or reset on users’ behalf are randomly generated." + "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." } ] }, { - "id": "control-1593", - "title": "Setting and resetting credentials for user accounts", + "id": "control-1218", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1593-stmt", + "id": "control-1218-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO data is sanitised in situ." } ] }, { - "id": "control-1594", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0312", + "title": "Sanitisation and disposal of highly sensitive ICT equipment", "parts": [ { - "id": "control-1594-stmt", + "id": "control-0312-stmt", "name": "statement", - "prose": "Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor." + "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO data that cannot be sanitised in situ is returned to Australia for destruction." } ] }, { - "id": "control-1595", - "title": "Setting and resetting credentials for user accounts", + "id": "control-0317", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1595-stmt", + "id": "control-0317-stmt", "name": "statement", - "prose": "Users that do not set their own initial password/passphrase are required to change it on first use." + "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." } ] }, { - "id": "control-1619", - "title": "Setting and resetting credentials for service accounts", + "id": "control-1219", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1619-stmt", + "id": "control-1219-stmt", "name": "statement", - "prose": "Service accounts are created as group Managed Service Accounts." + "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." } ] }, { - "id": "control-1403", - "title": "Account lockouts", + "id": "control-1220", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1403-stmt", + "id": "control-1220-stmt", "name": "statement", - "prose": "Accounts are locked out after a maximum of five failed logon attempts." + "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." } ] }, { - "id": "control-0431", - "title": "Account lockouts", + "id": "control-1221", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0431-stmt", + "id": "control-1221-stmt", "name": "statement", - "prose": "Repeated account lockouts are investigated before reauthorising access." + "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] }, { - "id": "control-0976", - "title": "Account unlocks", + "id": "control-0318", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-0976-stmt", + "id": "control-0318-stmt", "name": "statement", - "prose": "Users provide sufficient evidence to verify their identity when requesting an account unlock." + "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." } ] }, { - "id": "control-1603", - "title": "Insecure authentication methods", + "id": "control-1534", + "title": "Sanitisation and disposal of printers and multifunction devices", "parts": [ { - "id": "control-1603-stmt", + "id": "control-1534-stmt", "name": "statement", - "prose": "Authentication methods susceptible to replay attacks are disabled." + "prose": "Printer ribbons in printers and MFDs are removed and destroyed." } ] }, { - "id": "control-1055", - "title": "Insecure authentication methods", + "id": "control-1076", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1055-stmt", + "id": "control-1076-stmt", "name": "statement", - "prose": "LAN Manager and NT LAN Manager authentication methods are disabled." + "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." } ] }, { - "id": "control-1620", - "title": "Insecure authentication methods", + "id": "control-1222", + "title": "Sanitising televisions and computer monitors", "parts": [ { - "id": "control-1620-stmt", + "id": "control-1222-stmt", "name": "statement", - "prose": "Privileged accounts are members of the Protected Users security group." + "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." } ] }, { - "id": "control-1685", - "title": "Protecting credentials", + "id": "control-1223", + "title": "Sanitising network devices", "parts": [ { - "id": "control-1685-stmt", + "id": "control-1223-stmt", "name": "statement", - "prose": "Credentials for local administrator accounts and service accounts are unique, unpredictable and managed." + "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by evaluated product documentation\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." } ] }, { - "id": "control-0418", - "title": "Protecting credentials", + "id": "control-1225", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-0418-stmt", + "id": "control-1225-stmt", "name": "statement", - "prose": "Credentials are stored separately from systems to which they grant access." + "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." } ] }, { - "id": "control-1597", - "title": "Protecting credentials", + "id": "control-1226", + "title": "Sanitising fax machines", "parts": [ { - "id": "control-1597-stmt", + "id": "control-1226-stmt", "name": "statement", - "prose": "Credentials are obscured as they are entered into systems." + "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." } ] - }, + } + ] + }, + { + "id": "ict_equipment_maintenance_and_repairs", + "title": "ICT equipment maintenance and repairs", + "controls": [ { - "id": "control-1402", - "title": "Protecting credentials", + "id": "control-1079", + "title": "Maintenance and repairs of high assurance ICT equipment", "parts": [ { - "id": "control-1402-stmt", + "id": "control-1079-stmt", "name": "statement", - "prose": "Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched." + "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." } ] }, { - "id": "control-1686", - "title": "Protecting credentials", + "id": "control-0305", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1686-stmt", + "id": "control-0305-stmt", "name": "statement", - "prose": "Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled." + "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." } ] }, { - "id": "control-1590", - "title": "Protecting credentials", + "id": "control-0307", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-1590-stmt", + "id": "control-0307-stmt", "name": "statement", - "prose": "Passwords/passphrases are changed if:\n• they are directly compromised\n• they are suspected of being compromised\n• they appear in online data breach databases\n• they are discovered stored in the clear on a network\n• they are discovered being transferred in the clear across a network\n• membership of a shared account changes\n• they have not been changed in the past 12 months." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." } ] }, { - "id": "control-0853", - "title": "Session termination", + "id": "control-0306", + "title": "On-site maintenance and repairs", "parts": [ { - "id": "control-0853-stmt", + "id": "control-0306-stmt", "name": "statement", - "prose": "Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted." + "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that data is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." } ] }, { - "id": "control-0428", - "title": "Session and screen locking", + "id": "control-0310", + "title": "Off-site maintenance and repairs", "parts": [ { - "id": "control-0428-stmt", + "id": "control-0310-stmt", "name": "statement", - "prose": "Systems are configured with a session or screen lock that:\n• activates after a maximum of 15 minutes of user inactivity, or if manually activated by the user\n• conceals all session content on the screen\n• ensures that the screen does not enter a power saving state before the session or screen lock is activated\n• requires the user to reauthenticate to unlock the system\n• denies users the ability to disable the session or screen locking mechanism." + "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the handling requirements for the sensitivity or classification of the ICT equipment." } ] }, { - "id": "control-0408", - "title": "Logon banner", + "id": "control-0944", + "title": "Maintenance and repair of ICT equipment from secured spaces", "parts": [ { - "id": "control-0408-stmt", + "id": "control-0944-stmt", "name": "statement", - "prose": "Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted." + "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." } ] }, { - "id": "control-0979", - "title": "Logon banner", + "id": "control-1598", + "title": "Inspection of ICT equipment following maintenance and repairs", "parts": [ { - "id": "control-0979-stmt", + "id": "control-1598-stmt", "name": "statement", - "prose": "Legal advice is sought on the exact wording of logon banners." + "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." } ] } ] }, { - "id": "operating_system_hardening", - "title": "Operating system hardening", + "id": "ict_equipment_usage", + "title": "ICT equipment usage", "controls": [ { - "id": "control-1406", - "title": "Standard Operating Environments", - "parts": [ - { - "id": "control-1406-stmt", - "name": "statement", - "prose": "SOEs are used for workstations and servers." - } - ] - }, - { - "id": "control-1608", - "title": "Standard Operating Environments", + "id": "control-1551", + "title": "ICT equipment management policy", "parts": [ { - "id": "control-1608-stmt", + "id": "control-1551-stmt", "name": "statement", - "prose": "SOEs provided by third parties are scanned for malicious content and configurations before being used." + "prose": "An ICT equipment management policy is developed and implemented." } ] }, { - "id": "control-1588", - "title": "Standard Operating Environments", + "id": "control-0336", + "title": "ICT equipment register", "parts": [ { - "id": "control-1588-stmt", + "id": "control-0336-stmt", "name": "statement", - "prose": "SOEs are reviewed and updated at least annually." + "prose": "An ICT equipment register is maintained and regularly audited." } ] }, { - "id": "control-1407", - "title": "Operating system releases and versions", + "id": "control-0293", + "title": "Classifying ICT equipment", "parts": [ { - "id": "control-1407-stmt", + "id": "control-0293-stmt", "name": "statement", - "prose": "The latest release, or the previous release, of operating systems are used for workstations, servers and network devices." + "prose": "ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating." } ] }, { - "id": "control-1408", - "title": "Operating system releases and versions", + "id": "control-0294", + "title": "Labelling ICT equipment", "parts": [ { - "id": "control-1408-stmt", + "id": "control-0294-stmt", "name": "statement", - "prose": "When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used." + "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1409", - "title": "Operating system configuration", + "id": "control-0296", + "title": "Labelling high assurance ICT equipment", "parts": [ { - "id": "control-1409-stmt", + "id": "control-0296-stmt", "name": "statement", - "prose": "ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems." + "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." } ] }, { - "id": "control-0383", - "title": "Operating system configuration", + "id": "control-1599", + "title": "Handling ICT equipment", "parts": [ { - "id": "control-0383-stmt", + "id": "control-1599-stmt", "name": "statement", - "prose": "Default operating system accounts are disabled, renamed or have their passphrase changed." + "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_security_documentation", + "title": "Guidelines for Security Documentation", + "groups": [ + { + "id": "development_and_maintenance_of_security_documentation", + "title": "Development and maintenance of security documentation", + "controls": [ { - "id": "control-0380", - "title": "Operating system configuration", + "id": "control-0039", + "title": "Cyber security strategy", "parts": [ { - "id": "control-0380-stmt", + "id": "control-0039-stmt", "name": "statement", - "prose": "Unneeded operating system accounts, software, components, services and functionality are disabled or removed." + "prose": "A cyber security strategy is developed and implemented for the organisation." } ] }, { - "id": "control-1654", - "title": "Operating system configuration", + "id": "control-0047", + "title": "Approval of security documentation", "parts": [ { - "id": "control-1654-stmt", + "id": "control-0047-stmt", "name": "statement", - "prose": "Internet Explorer 11 is disabled or removed." + "prose": "Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer." } ] }, { - "id": "control-1655", - "title": "Operating system configuration", + "id": "control-0888", + "title": "Maintenance of security documentation", "parts": [ { - "id": "control-1655-stmt", + "id": "control-0888-stmt", "name": "statement", - "prose": ".NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed." + "prose": "Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement." } ] }, { - "id": "control-1584", - "title": "Operating system configuration", + "id": "control-1602", + "title": "Communication of security documentation", "parts": [ { - "id": "control-1584-stmt", + "id": "control-1602-stmt", "name": "statement", - "prose": "Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems." + "prose": "Security documentation, including notification of subsequent changes, is communicated to all stakeholders." } ] - }, + } + ] + }, + { + "id": "system-specific_security_documentation", + "title": "System-specific security documentation", + "controls": [ { - "id": "control-1491", - "title": "Operating system configuration", + "id": "control-0041", + "title": "System security plan", "parts": [ { - "id": "control-1491-stmt", + "id": "control-0041-stmt", "name": "statement", - "prose": "Unprivileged users are prevented from running script execution engines in Microsoft Windows, including:\n• Windows Script Host (cscript.exe and wscript.exe)\n• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)\n• Command Prompt (cmd.exe)\n• Windows Management Instrumentation (wmic.exe)\n• Microsoft HTML Application Host (mshta.exe)." + "prose": "Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system." } ] }, { - "id": "control-1410", - "title": "Local administrator accounts", + "id": "control-0043", + "title": "Incident response plan", "parts": [ { - "id": "control-1410-stmt", + "id": "control-0043-stmt", "name": "statement", - "prose": "Local administrator accounts are disabled; alternatively, passphrases that are random and unique for each device’s local administrator account are used." + "prose": "Systems have an incident response plan that covers the following:\n• guidelines on what constitutes a cyber security incident\n• the types of incidents likely to be encountered and the expected response to each type\n• how to report cyber security incidents, internally to the organisation and externally to the Australian Cyber Security Centre (ACSC)\n• other parties which need to be informed in the event of a cyber security incident\n• the authority, or authorities, responsible for investigating and responding to cyber security incidents\n• the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the ACSC or other relevant authority\n• the steps necessary to ensure the integrity of evidence relating to a cyber security incident\n• system contingency measures or a reference to such details if they are located in a separate document." } ] }, { - "id": "control-1469", - "title": "Local administrator accounts", + "id": "control-1163", + "title": "Continuous monitoring plan", "parts": [ { - "id": "control-1469-stmt", + "id": "control-1163-stmt", "name": "statement", - "prose": "Unique domain accounts with local administrative privileges, but without domain administrative privileges, are used for workstation and server management." + "prose": "Systems have a continuous monitoring plan that includes:\n• conducting vulnerability scans for systems at least monthly\n• conducting vulnerability assessments or penetration tests for systems at least annually\n• analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls\n• using a risk-based approach to prioritise the implementation of identified mitigations." } ] }, { - "id": "control-1592", - "title": "Application management", + "id": "control-1563", + "title": "Security assessment report", "parts": [ { - "id": "control-1592-stmt", + "id": "control-1563-stmt", "name": "statement", - "prose": "Users do not have the ability to install unapproved software." + "prose": "At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:\n• the scope of the security assessment\n• the system’s strengths and weaknesses\n• security risks associated with the operation of the system\n• the effectiveness of the implementation of security controls\n• any recommended remediation actions." } ] }, { - "id": "control-0382", - "title": "Application management", + "id": "control-1564", + "title": "Plan of action and milestones", "parts": [ { - "id": "control-0382-stmt", + "id": "control-1564-stmt", "name": "statement", - "prose": "Users do not have the ability to uninstall or disable approved software." + "prose": "At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_media", + "title": "Guidelines for Media", + "groups": [ + { + "id": "media_destruction", + "title": "Media destruction", + "controls": [ { - "id": "control-0843", - "title": "Application control", + "id": "control-0363", + "title": "Media destruction process and procedures", "parts": [ { - "id": "control-0843-stmt", + "id": "control-0363-stmt", "name": "statement", - "prose": "Application control is implemented on workstations." + "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." } ] }, { - "id": "control-1490", - "title": "Application control", + "id": "control-0350", + "title": "Media that cannot be sanitised", "parts": [ { - "id": "control-1490-stmt", + "id": "control-0350-stmt", "name": "statement", - "prose": "Application control is implemented on internet-facing servers." + "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." } ] }, { - "id": "control-1656", - "title": "Application control", + "id": "control-1361", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1656-stmt", + "id": "control-1361-stmt", "name": "statement", - "prose": "Application control is implemented on non-internet-facing servers." + "prose": "SCEC or ASIO approved equipment is used when destroying media." } ] }, { - "id": "control-1657", - "title": "Application control", + "id": "control-1160", + "title": "Media destruction equipment", "parts": [ { - "id": "control-1657-stmt", + "id": "control-1160-stmt", "name": "statement", - "prose": "Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set." + "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." } ] }, { - "id": "control-1658", - "title": "Application control", + "id": "control-1517", + "title": "Media destruction methods", "parts": [ { - "id": "control-1658-stmt", + "id": "control-1517-stmt", "name": "statement", - "prose": "Application control restricts the execution of drivers to an organisation-approved set." + "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." } ] }, { - "id": "control-0955", - "title": "Application control", + "id": "control-0366", + "title": "Media destruction methods", "parts": [ { - "id": "control-0955-stmt", + "id": "control-0366-stmt", "name": "statement", - "prose": "Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules." + "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." } ] }, { - "id": "control-1582", - "title": "Application control", + "id": "control-0368", + "title": "Treatment of media waste particles", "parts": [ { - "id": "control-1582-stmt", + "id": "control-0368-stmt", "name": "statement", - "prose": "Application control rulesets are validated on an annual or more frequent basis." + "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." } ] }, { - "id": "control-1471", - "title": "Application control", + "id": "control-0361", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1471-stmt", + "id": "control-0361-stmt", "name": "statement", - "prose": "When implementing application control using publisher certificate rules, both publisher names and product names are used." + "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." } ] }, { - "id": "control-1392", - "title": "Application control", + "id": "control-0838", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1392-stmt", + "id": "control-0838-stmt", "name": "statement", - "prose": "When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute." + "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." } ] }, { - "id": "control-1544", - "title": "Application control", + "id": "control-0362", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1544-stmt", + "id": "control-0362-stmt", "name": "statement", - "prose": "Microsoft’s ‘recommended block rules’ are implemented." + "prose": "Any product-specific directions provided by degausser manufacturers are followed." } ] }, { - "id": "control-1659", - "title": "Application control", + "id": "control-1641", + "title": "Degaussing magnetic media", "parts": [ { - "id": "control-1659-stmt", + "id": "control-1641-stmt", "name": "statement", - "prose": "Microsoft’s ‘recommended driver block rules’ are implemented." + "prose": "Following destruction of magnetic media using a degausser, the magnetic media is physically damaged by deforming the internal platters by any means prior to disposal." } ] }, { - "id": "control-0846", - "title": "Application control", + "id": "control-0370", + "title": "Supervision of destruction", "parts": [ { - "id": "control-0846-stmt", + "id": "control-0370-stmt", "name": "statement", - "prose": "All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control." + "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1660", - "title": "Application control", + "id": "control-0371", + "title": "Supervision of destruction", "parts": [ { - "id": "control-1660-stmt", + "id": "control-0371-stmt", "name": "statement", - "prose": "Allowed and blocked executions on workstations are logged." + "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." } ] }, { - "id": "control-1661", - "title": "Application control", + "id": "control-0372", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1661-stmt", + "id": "control-0372-stmt", "name": "statement", - "prose": "Allowed and blocked executions on internet-facing servers are logged." + "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." } ] }, { - "id": "control-1662", - "title": "Application control", + "id": "control-0373", + "title": "Supervision of accountable material destruction", "parts": [ { - "id": "control-1662-stmt", + "id": "control-0373-stmt", "name": "statement", - "prose": "Allowed and blocked executions on non-internet facing servers are logged." + "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." } ] }, { - "id": "control-0957", - "title": "Application control", + "id": "control-0840", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-0957-stmt", + "id": "control-0840-stmt", "name": "statement", - "prose": "Application control event logs including the name of the file, the date/time stamp and the username of the user associated with the event." + "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." } ] }, { - "id": "control-1663", - "title": "Application control", + "id": "control-0839", + "title": "Outsourcing media destruction", "parts": [ { - "id": "control-1663-stmt", + "id": "control-0839-stmt", "name": "statement", - "prose": "Application control event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." } ] - }, + } + ] + }, + { + "id": "media_disposal", + "title": "Media disposal", + "controls": [ { - "id": "control-1492", - "title": "Exploit protection", + "id": "control-0374", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1492-stmt", + "id": "control-0374-stmt", "name": "statement", - "prose": "Microsoft’s exploit protection functionality is implemented on workstations and servers." + "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." } ] }, { - "id": "control-1621", - "title": "PowerShell", + "id": "control-0375", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1621-stmt", + "id": "control-0375-stmt", "name": "statement", - "prose": "Windows PowerShell 2.0 is disabled or removed." + "prose": "Following sanitisation, destruction or declassification, a formal administrative decision (in consultation with data owners) is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." } ] }, { - "id": "control-1622", - "title": "PowerShell", + "id": "control-0378", + "title": "Media disposal process and procedures", "parts": [ { - "id": "control-1622-stmt", + "id": "control-0378-stmt", "name": "statement", - "prose": "PowerShell is configured to use Constrained Language Mode." + "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." } ] - }, + } + ] + }, + { + "id": "media_usage", + "title": "Media usage", + "controls": [ { - "id": "control-1623", - "title": "PowerShell", + "id": "control-1549", + "title": "Media management policy", "parts": [ { - "id": "control-1623-stmt", + "id": "control-1549-stmt", "name": "statement", - "prose": "PowerShell is configured to use module logging, script block logging and transcription functionality." + "prose": "A media management policy is developed and implemented." } ] }, { - "id": "control-1624", - "title": "PowerShell", + "id": "control-1359", + "title": "Removable media usage policy", "parts": [ { - "id": "control-1624-stmt", + "id": "control-1359-stmt", "name": "statement", - "prose": "PowerShell script block logs are protected by Protected Event Logging functionality." + "prose": "A removable media usage policy is developed and implemented." } ] }, { - "id": "control-1664", - "title": "PowerShell", + "id": "control-1713", + "title": "Removable media register", "parts": [ { - "id": "control-1664-stmt", + "id": "control-1713-stmt", "name": "statement", - "prose": "Blocked PowerShell script executions are logged." + "prose": "A removable media register is maintained and regularly audited." } ] }, { - "id": "control-1665", - "title": "PowerShell", + "id": "control-0323", + "title": "Classifying media", "parts": [ { - "id": "control-1665-stmt", + "id": "control-0323-stmt", "name": "statement", - "prose": "PowerShell event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + "prose": "Media is classified to the highest sensitivity or classification of data stored on the media, unless the media has been classified to a higher sensitivity or classification." } ] }, { - "id": "control-1341", - "title": "Host-based Intrusion Prevention System", + "id": "control-0325", + "title": "Reclassifying media", "parts": [ { - "id": "control-1341-stmt", + "id": "control-0325-stmt", "name": "statement", - "prose": "A HIPS is implemented on workstations." + "prose": "Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1034", - "title": "Host-based Intrusion Prevention System", + "id": "control-0330", + "title": "Reclassifying media", "parts": [ { - "id": "control-1034-stmt", + "id": "control-0330-stmt", "name": "statement", - "prose": "A HIPS is implemented on high value servers such as authentication servers, Domain Name System (DNS) servers, web servers, file servers and email servers." + "prose": "In order to reclassify media to a lower sensitivity or classification, the media is sanitised (unless the media is read-only) and a formal administrative decision (in consultation with data owners) is made to reclassify the media." } ] }, { - "id": "control-1416", - "title": "Software firewall", + "id": "control-0831", + "title": "Handling media", "parts": [ { - "id": "control-1416-stmt", + "id": "control-0831-stmt", "name": "statement", - "prose": "A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections." + "prose": "Media is handled in a manner suitable for its sensitivity or classification." } ] }, { - "id": "control-1417", - "title": "Antivirus software", + "id": "control-1059", + "title": "Handling media", "parts": [ { - "id": "control-1417-stmt", + "id": "control-1059-stmt", "name": "statement", - "prose": "Antivirus software is implemented on workstations and servers and configured with:\n• signature-based detection enabled and set to a high level\n• heuristic-based detection enabled and set to a high level\n• ransomware protection measures enabled\n• detection signatures checked for currency and updated on at least a daily basis\n• automatic and regular scanning configured for all fixed disks and removable media." + "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1390", - "title": "Antivirus software", + "id": "control-0332", + "title": "Labelling media", "parts": [ { - "id": "control-1390-stmt", + "id": "control-0332-stmt", "name": "statement", - "prose": "Antivirus software has reputation rating functionality enabled." + "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." } ] }, { - "id": "control-1418", - "title": "Device access control software", + "id": "control-1600", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1418-stmt", + "id": "control-1600-stmt", "name": "statement", - "prose": "Device access control software is implemented on workstations and servers to prevent unauthorised devices from being connected." + "prose": "Media is sanitised before it is used for the first time." } ] }, { - "id": "control-0345", - "title": "Device access control software", + "id": "control-1642", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0345-stmt", + "id": "control-1642-stmt", "name": "statement", - "prose": "External interfaces of workstations and servers that allow DMA are disabled." + "prose": "Media is sanitised before it is reused in a different security domain." } ] - } - ] - }, - { - "id": "application_hardening", - "title": "Application hardening", - "controls": [ + }, { - "id": "control-0938", - "title": "Application selection", + "id": "control-0337", + "title": "Connecting media to systems", "parts": [ { - "id": "control-0938-stmt", + "id": "control-0337-stmt", "name": "statement", - "prose": "Applications are chosen from vendors that have made a commitment to secure development and maintenance practices." + "prose": "Media is only used with systems that are authorised to process, store or communicate the sensitivity or classification of the media." } ] }, { - "id": "control-1467", - "title": "Application versions", + "id": "control-0341", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1467-stmt", + "id": "control-0341-stmt", "name": "statement", - "prose": "The latest releases of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used when present within SOEs." + "prose": "Any automatic execution features for media are disabled in the operating system of systems." } ] }, { - "id": "control-1483", - "title": "Application versions", + "id": "control-0342", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1483-stmt", + "id": "control-0342-stmt", "name": "statement", - "prose": "The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs." + "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports or by physical means." } ] }, { - "id": "control-1486", - "title": "Hardening application configurations", + "id": "control-0343", + "title": "Connecting media to systems", "parts": [ { - "id": "control-1486-stmt", + "id": "control-0343-stmt", "name": "statement", - "prose": "Web browsers do not process Java from the internet." + "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." } ] }, { - "id": "control-1485", - "title": "Hardening application configurations", + "id": "control-0347", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1485-stmt", + "id": "control-0347-stmt", "name": "statement", - "prose": "Web browsers do not process web advertisements from the internet." + "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured." } ] }, { - "id": "control-1666", - "title": "Hardening application configurations", + "id": "control-0947", + "title": "Using media for data transfers", "parts": [ { - "id": "control-1666-stmt", + "id": "control-0947-stmt", "name": "statement", - "prose": "Internet Explorer 11 does not process content from the internet." + "prose": "When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer." } ] - }, + } + ] + }, + { + "id": "media_sanitisation", + "title": "Media sanitisation", + "controls": [ { - "id": "control-1667", - "title": "Hardening application configurations", + "id": "control-0348", + "title": "Media sanitisation process and procedures", "parts": [ { - "id": "control-1667-stmt", + "id": "control-0348-stmt", "name": "statement", - "prose": "Microsoft Office is blocked from creating child processes." + "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." } ] }, { - "id": "control-1668", - "title": "Hardening application configurations", + "id": "control-0351", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1668-stmt", + "id": "control-0351-stmt", "name": "statement", - "prose": "Microsoft Office is blocked from creating executable content." + "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1669", - "title": "Hardening application configurations", + "id": "control-0352", + "title": "Volatile media sanitisation", "parts": [ { - "id": "control-1669-stmt", + "id": "control-0352-stmt", "name": "statement", - "prose": "Microsoft Office is blocked from injecting code into other processes." + "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." } ] }, { - "id": "control-1542", - "title": "Hardening application configurations", + "id": "control-0835", + "title": "Treatment of volatile media following sanitisation", "parts": [ { - "id": "control-1542-stmt", + "id": "control-0835-stmt", "name": "statement", - "prose": "Microsoft Office is configured to prevent activation of Object Linking and Embedding packages." + "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." } ] }, { - "id": "control-1670", - "title": "Hardening application configurations", + "id": "control-1065", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1670-stmt", + "id": "control-1065-stmt", "name": "statement", - "prose": "PDF software is blocked from creating child processes." + "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." } ] }, { - "id": "control-1412", - "title": "Hardening application configurations", + "id": "control-0354", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1412-stmt", + "id": "control-0354-stmt", "name": "statement", - "prose": "ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented." + "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1470", - "title": "Hardening application configurations", + "id": "control-1067", + "title": "Non-volatile magnetic media sanitisation", "parts": [ { - "id": "control-1470-stmt", + "id": "control-1067-stmt", "name": "statement", - "prose": "Any unrequired functionality in web browsers, Microsoft Office and PDF software is disabled." + "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." } ] }, { - "id": "control-1235", - "title": "Hardening application configurations", + "id": "control-0356", + "title": "Treatment of non-volatile magnetic media following sanitisation", "parts": [ { - "id": "control-1235-stmt", + "id": "control-0356-stmt", "name": "statement", - "prose": "The use of web browser, Microsoft Office and PDF software add-ons is restricted to organisation approved add-ons." + "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." } ] }, { - "id": "control-1601", - "title": "Hardening application configurations", + "id": "control-0357", + "title": "Non-volatile erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1601-stmt", + "id": "control-0357-stmt", "name": "statement", - "prose": "If supported, Microsoft’s Attack Surface Reduction rules are implemented." + "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1585", - "title": "Hardening application configurations", + "id": "control-0836", + "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", "parts": [ { - "id": "control-1585-stmt", + "id": "control-0836-stmt", "name": "statement", - "prose": "Web browsers, Microsoft Office and PDF software security settings cannot be changed by users." + "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1671", - "title": "Microsoft Office macros", + "id": "control-0358", + "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", "parts": [ { - "id": "control-1671-stmt", + "id": "control-0358-stmt", "name": "statement", - "prose": "Microsoft Office macros are disabled for users that do not have a demonstrated business requirement." + "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." } ] }, { - "id": "control-1488", - "title": "Microsoft Office macros", + "id": "control-0359", + "title": "Non-volatile flash memory media sanitisation", "parts": [ { - "id": "control-1488-stmt", + "id": "control-0359-stmt", "name": "statement", - "prose": "Microsoft Office macros in files originating from the internet are blocked." + "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." } ] }, { - "id": "control-1672", - "title": "Microsoft Office macros", + "id": "control-0360", + "title": "Treatment of non-volatile flash memory media following sanitisation", "parts": [ { - "id": "control-1672-stmt", + "id": "control-0360-stmt", "name": "statement", - "prose": "Microsoft Office macro antivirus scanning is enabled." + "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." } ] }, { - "id": "control-1673", - "title": "Microsoft Office macros", + "id": "control-1464", + "title": "Encrypted media sanitisation", "parts": [ { - "id": "control-1673-stmt", + "id": "control-1464-stmt", "name": "statement", - "prose": "Microsoft Office macros are blocked from making Win32 API calls." + "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_cryptography", + "title": "Guidelines for Cryptography", + "groups": [ + { + "id": "secure_shell", + "title": "Secure Shell", + "controls": [ { - "id": "control-1674", - "title": "Microsoft Office macros", + "id": "control-1506", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1674-stmt", + "id": "control-1506-stmt", "name": "statement", - "prose": "Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute." + "prose": "The use of SSH version 1 is disabled." } ] }, { - "id": "control-1487", - "title": "Microsoft Office macros", + "id": "control-0484", + "title": "Configuring Secure Shell", "parts": [ { - "id": "control-1487-stmt", + "id": "control-0484-stmt", "name": "statement", - "prose": "Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations." + "prose": "The configuration settings in the following table are implemented for the SSH daemon (see source document for referenced table)." } ] }, { - "id": "control-1675", - "title": "Microsoft Office macros", + "id": "control-0485", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1675-stmt", + "id": "control-0485-stmt", "name": "statement", - "prose": "Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View." + "prose": "Public key-based authentication is used for SSH connections." } ] }, { - "id": "control-1676", - "title": "Microsoft Office macros", + "id": "control-1449", + "title": "Authentication mechanisms", "parts": [ { - "id": "control-1676-stmt", + "id": "control-1449-stmt", "name": "statement", - "prose": "Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis." + "prose": "SSH private keys are protected with a passphrase or a key encryption key." } ] }, { - "id": "control-1489", - "title": "Microsoft Office macros", + "id": "control-0487", + "title": "Automated remote access", "parts": [ { - "id": "control-1489-stmt", + "id": "control-0487-stmt", "name": "statement", - "prose": "Microsoft Office macro security settings cannot be changed by users." + "prose": "When using logins without a passphrase for automated purposes, the following are disabled:\n• access from IP addresses that do not require access\n• port forwarding\n• agent credential forwarding\n• X11 display remoting\n• console access." } ] }, { - "id": "control-1677", - "title": "Microsoft Office macros", + "id": "control-0488", + "title": "Automated remote access", "parts": [ { - "id": "control-1677-stmt", + "id": "control-0488-stmt", "name": "statement", - "prose": "Allowed and blocked Microsoft Office macro executions are logged." + "prose": "If using remote access without the use of a passphrase, the ‘forced command’ option is used to specify what command is executed and parameter checked is enabled." } ] }, { - "id": "control-1678", - "title": "Microsoft Office macros", + "id": "control-0489", + "title": "SSH-agent", "parts": [ { - "id": "control-1678-stmt", + "id": "control-0489-stmt", "name": "statement", - "prose": "Microsoft Office macro event logs are logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." + "prose": "When SSH-agent or other similar key caching programs are used, it is only on workstations and servers with screen locks, key caches are set to expire within four hours of inactivity, and agent credential forwarding is enabled only when SSH traversal is required." } ] } ] }, { - "id": "virtualisation_hardening", - "title": "Virtualisation hardening", + "id": "asd_approved_cryptographic_algorithms", + "title": "ASD Approved Cryptographic Algorithms", "controls": [ { - "id": "control-1460", - "title": "Functional separation between computing environments", + "id": "control-0471", + "title": "Using ASD Approved Cryptographic Algorithms", "parts": [ { - "id": "control-1460-stmt", + "id": "control-0471-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner." + "prose": "Only AACAs are used by cryptographic equipment and software." } ] }, { - "id": "control-1604", - "title": "Functional separation between computing environments", + "id": "control-0994", + "title": "Approved asymmetric/public key algorithms", "parts": [ { - "id": "control-1604-stmt", + "id": "control-0994-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism." + "prose": "ECDH and ECDSA are used in preference to DH and DSA." } ] }, { - "id": "control-1605", - "title": "Functional separation between computing environments", + "id": "control-0472", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1605-stmt", + "id": "control-0472-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating system running on the server is hardened." + "prose": "When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-1606", - "title": "Functional separation between computing environments", + "id": "control-1629", + "title": "Using Diffie-Hellman", "parts": [ { - "id": "control-1606-stmt", + "id": "control-1629-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner." + "prose": "When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3." } ] }, { - "id": "control-1607", - "title": "Functional separation between computing environments", + "id": "control-0473", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1607-stmt", + "id": "control-0473-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner." + "prose": "When using DSA for digital signatures, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-1461", - "title": "Functional separation between computing environments", + "id": "control-1630", + "title": "Using the Digital Signature Algorithm", "parts": [ { - "id": "control-1461-stmt", + "id": "control-1630-stmt", "name": "statement", - "prose": "When using a software-based isolation mechanism to share a physical server’s hardware, the physical server and all computing environments running on the physical server are of the same classification and within the same security domain." + "prose": "When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_system_monitoring", - "title": "Guidelines for System Monitoring", - "groups": [ - { - "id": "event_logging_and_auditing", - "title": "Event logging and auditing", - "controls": [ + }, { - "id": "control-0580", - "title": "Event logging policy", + "id": "control-1446", + "title": "Using Elliptic Curve Cryptography", "parts": [ { - "id": "control-0580-stmt", + "id": "control-1446-stmt", "name": "statement", - "prose": "An event logging policy is developed and implemented." + "prose": "When using elliptic curve cryptography, a curve from FIPS 186-4 is used." } ] }, { - "id": "control-1405", - "title": "Centralised logging facility", + "id": "control-0474", + "title": "Using Elliptic Curve Diffie-Hellman", "parts": [ { - "id": "control-1405-stmt", + "id": "control-0474-stmt", "name": "statement", - "prose": "A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs." + "prose": "When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-0988", - "title": "Centralised logging facility", + "id": "control-0475", + "title": "Using the Elliptic Curve Digital Signature Algorithm", "parts": [ { - "id": "control-0988-stmt", + "id": "control-0475-stmt", "name": "statement", - "prose": "An accurate time source is established and used consistently across systems and network devices to assist with the correlation of events." + "prose": "When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used." } ] }, { - "id": "control-0584", - "title": "Events to be logged", + "id": "control-0476", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0584-stmt", + "id": "control-0476-stmt", "name": "statement", - "prose": "For any system requiring authentication, logon, failed logon and logoff events are logged." + "prose": "When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used." } ] }, { - "id": "control-0582", - "title": "Events to be logged", + "id": "control-0477", + "title": "Using Rivest-Shamir-Adleman", "parts": [ { - "id": "control-0582-stmt", + "id": "control-0477-stmt", "name": "statement", - "prose": "The following events are logged for operating systems:\n• access to important data and processes\n• application crashes and any error messages\n• attempts to use special privileges\n• changes to accounts\n• changes to security policy\n• changes to system configurations\n• Domain Name System (DNS) and Hypertext Transfer Protocol requests\n• failed attempts to access data and system resources\n• service failures and restarts\n• system startup and shutdown\n• transfer of data to and from external media\n• user or group management\n• use of special privileges." + "prose": "When using RSA for digital signatures, and for passing encryption session keys or similar keys, a key pair for passing encrypted session keys that is different from the key pair used for digital signatures is used." } ] }, { - "id": "control-1536", - "title": "Events to be logged", + "id": "control-0479", + "title": "Approved symmetric encryption algorithms", "parts": [ { - "id": "control-1536-stmt", + "id": "control-0479-stmt", "name": "statement", - "prose": "The following events are logged for web applications:\n• attempted access that is denied\n• crashes and any error messages\n• search queries initiated by users." + "prose": "Symmetric cryptographic algorithms are not used in Electronic Codebook Mode." } ] }, { - "id": "control-1537", - "title": "Events to be logged", + "id": "control-0480", + "title": "Using the Triple Data Encryption Standard", "parts": [ { - "id": "control-1537-stmt", + "id": "control-0480-stmt", "name": "statement", - "prose": "The following events are logged for databases:\n• access to particularly important data\n• addition of new users, especially privileged users\n• any query containing comments\n• any query containing multiple embedded queries\n• any query or database alerts or failures\n• attempts to elevate privileges\n• attempted access that is successful or unsuccessful\n• changes to the database structure\n• changes to user roles or database permissions\n• database administrator actions\n• database logons and logoffs\n• modifications to data\n• use of executable commands." + "prose": "3DES is used with three distinct keys." + } + ] + }, + { + "id": "control-1232", + "title": "Protecting highly classified data", + "parts": [ + { + "id": "control-1232-stmt", + "name": "statement", + "prose": "AACAs are used in an evaluated implementation." } ] }, { - "id": "control-0585", - "title": "Event log details", + "id": "control-1468", + "title": "Protecting highly classified data", + "parts": [ + { + "id": "control-1468-stmt", + "name": "statement", + "prose": "Preference is given to using the CNSA Suite algorithms and key sizes." + } + ] + } + ] + }, + { + "id": "secure-multipurpose_internet_mail_extension", + "title": "Secure/Multipurpose Internet Mail Extension", + "controls": [ + { + "id": "control-0490", + "title": "Using Secure/Multipurpose Internet Mail Extension", "parts": [ { - "id": "control-0585-stmt", + "id": "control-0490-stmt", "name": "statement", - "prose": "For each event logged, the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded." + "prose": "Versions of S/MIME earlier than 3.0 are not used." } ] - }, + } + ] + }, + { + "id": "transport_layer_security", + "title": "Transport Layer Security", + "controls": [ { - "id": "control-0586", - "title": "Event log protection", + "id": "control-1139", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0586-stmt", + "id": "control-1139-stmt", "name": "statement", - "prose": "Event logs are protected from unauthorised access, modification and deletion." + "prose": "Only the latest version of TLS is used." } ] }, { - "id": "control-0859", - "title": "Event log retention", + "id": "control-1369", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0859-stmt", + "id": "control-1369-stmt", "name": "statement", - "prose": "Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia’s Administrative Functions Disposal Authority Express Version 2 publication." + "prose": "AES in Galois Counter Mode is used for symmetric encryption." } ] }, { - "id": "control-0991", - "title": "Event log retention", + "id": "control-1370", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0991-stmt", + "id": "control-1370-stmt", "name": "statement", - "prose": "DNS and proxy logs are retained for at least 18 months." + "prose": "Only server-initiated secure renegotiation is used." } ] }, { - "id": "control-0109", - "title": "Event log auditing process and procedures", + "id": "control-1372", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0109-stmt", + "id": "control-1372-stmt", "name": "statement", - "prose": "An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements." + "prose": "DH or ECDH is used for key establishment." } ] }, { - "id": "control-1228", - "title": "Event log auditing process and procedures", + "id": "control-1448", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1228-stmt", + "id": "control-1448-stmt", "name": "statement", - "prose": "Events are correlated across event logs to prioritise audits and focus investigations." + "prose": "When using DH or ECDH for key establishment, the ephemeral variant is used." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_incidents", - "title": "Guidelines for Cyber Security Incidents", - "groups": [ - { - "id": "reporting_cyber_security_incidents", - "title": "Reporting cyber security incidents", - "controls": [ + }, { - "id": "control-0123", - "title": "Reporting cyber security incidents", + "id": "control-1373", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0123-stmt", + "id": "control-1373-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "Anonymous DH is not used." } ] }, { - "id": "control-0141", - "title": "Reporting cyber security incidents", + "id": "control-1374", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-0141-stmt", + "id": "control-1374-stmt", "name": "statement", - "prose": "Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered." + "prose": "SHA-2-based certificates are used." } ] }, { - "id": "control-1433", - "title": "Reporting cyber security incidents", + "id": "control-1375", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1433-stmt", + "id": "control-1375-stmt", "name": "statement", - "prose": "Organisations and service providers maintain 24x7 contact details for each other in order to report cyber security incidents." + "prose": "Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function." } ] }, { - "id": "control-1434", - "title": "Reporting cyber security incidents", + "id": "control-1553", + "title": "Using Transport Layer Security", "parts": [ { - "id": "control-1434-stmt", + "id": "control-1553-stmt", "name": "statement", - "prose": "Organisations and service providers provide each other with additional out-of-band contact details for use when normal communication channels fail." + "prose": "TLS compression is disabled." } ] }, { - "id": "control-0140", - "title": "Reporting cyber security incidents to the ACSC", + "id": "control-1453", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-0140-stmt", + "id": "control-1453-stmt", "name": "statement", - "prose": "Cyber security incidents are reported to the ACSC." + "prose": "PFS is used for TLS connections." } ] } ] }, { - "id": "managing_cyber_security_incidents", - "title": "Managing cyber security incidents", + "id": "cryptographic_system_management", + "title": "Cryptographic system management", "controls": [ { - "id": "control-0125", - "title": "Cyber security incident register", - "parts": [ - { - "id": "control-0125-stmt", - "name": "statement", - "prose": "A cyber security incident register is maintained that covers the following:\n• the date the cyber security incident occurred\n• the date the cyber security incident was discovered\n• a description of the cyber security incident\n• any actions taken in response to the cyber security incident\n• to whom the cyber security incident was reported." - } - ] - }, - { - "id": "control-0133", - "title": "Handling and containing data spills", + "id": "control-0501", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0133-stmt", + "id": "control-0501-stmt", "name": "statement", - "prose": "When a data spill occurs, data owners are advised and access to the data is restricted." + "prose": "Keyed CGCE is transported based on the sensitivity or classification of the keying material in it." } ] }, { - "id": "control-0917", - "title": "Handling and containing malicious code infections", + "id": "control-0142", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0917-stmt", + "id": "control-0142-stmt", "name": "statement", - "prose": "When malicious code is detected, the following steps are taken to handle the infection:\n• the infected systems are isolated\n• all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary\n• antivirus software is used to remove the infection from infected systems and media\n• if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt." + "prose": "The compromise or suspected compromise of CGCE or associated keying material is reported to an organisation’s Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs." } ] }, { - "id": "control-0137", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-1091", + "title": "Commercial grade cryptographic equipment", "parts": [ { - "id": "control-0137-stmt", + "id": "control-1091-stmt", "name": "statement", - "prose": "Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further data or evidence." + "prose": "Keying material is changed when compromised or suspected of being compromised." } ] }, { - "id": "control-1609", - "title": "Allowing targeted cyber intrusions to continue", + "id": "control-0499", + "title": "High Assurance Cryptographic Equipment", "parts": [ { - "id": "control-1609-stmt", + "id": "control-0499-stmt", "name": "statement", - "prose": "System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further data or evidence." + "prose": "All communications security and equipment-specific doctrine produced by the ACSC for the management and use of HACE is complied with." } ] }, { - "id": "control-1213", - "title": "Post-incident analysis", + "id": "control-0505", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-1213-stmt", + "id": "control-0505-stmt", "name": "statement", - "prose": "Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion." + "prose": "Cryptographic equipment is stored in a room that meets the requirements for a server room based on the sensitivity or classification of the data the cryptographic equipment processes." } ] }, { - "id": "control-0138", - "title": "Integrity of evidence", + "id": "control-0506", + "title": "Storing cryptographic equipment", "parts": [ { - "id": "control-0138-stmt", + "id": "control-0506-stmt", "name": "statement", - "prose": "The integrity of evidence gathered during an investigation is maintained by investigators:\n• recording all of their actions\n• creating checksums for all evidence\n• copying evidence onto media for archiving\n• maintaining a proper chain of custody." + "prose": "Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area." } ] } ] }, { - "id": "detecting_cyber_security_incidents", - "title": "Detecting cyber security incidents", + "id": "cryptographic_fundamentals", + "title": "Cryptographic fundamentals", "controls": [ { - "id": "control-0576", - "title": "Intrusion detection and prevention policy", + "id": "control-1161", + "title": "Reducing handling requirements", "parts": [ { - "id": "control-0576-stmt", + "id": "control-1161-stmt", "name": "statement", - "prose": "An intrusion detection and prevention policy is developed and implemented." + "prose": "Encryption software that implements an ASD Approved Cryptographic Algorithm (AACA) is used if an organisation wishes to reduce the handling requirements for ICT equipment or media that contains sensitive data." } ] }, { - "id": "control-1625", - "title": "Trusted insider program", + "id": "control-0457", + "title": "Reducing handling requirements", "parts": [ { - "id": "control-1625-stmt", + "id": "control-0457-stmt", "name": "statement", - "prose": "A trusted insider program is developed and implemented." + "prose": "Encryption software that has completed an ACE is used if an organisation wishes to reduce the handling requirements for ICT equipment or media that contains classified data." } ] }, { - "id": "control-1626", - "title": "Trusted insider program", + "id": "control-0460", + "title": "Reducing handling requirements", "parts": [ { - "id": "control-1626-stmt", + "id": "control-0460-stmt", "name": "statement", - "prose": "Legal advice is sought regarding the development and implementation of a trusted insider program." + "prose": "HACE is used if an organisation wishes to reduce the handling requirements for ICT equipment or media that contains highly classified data." } ] }, { - "id": "control-0120", - "title": "Access to sufficient data sources and tools", + "id": "control-0459", + "title": "Encrypting data at rest", "parts": [ { - "id": "control-0120-stmt", + "id": "control-0459-stmt", "name": "statement", - "prose": "Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise." + "prose": "Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_enterprise_mobility", - "title": "Guidelines for Enterprise Mobility", - "groups": [ - { - "id": "mobile_device_usage", - "title": "Mobile device usage", - "controls": [ + }, { - "id": "control-1082", - "title": "Mobile device usage policy", + "id": "control-0461", + "title": "Encrypting data at rest", "parts": [ { - "id": "control-1082-stmt", + "id": "control-0461-stmt", "name": "statement", - "prose": "A mobile device usage policy is developed and implemented." + "prose": "HACE used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition." } ] }, { - "id": "control-1083", - "title": "Personnel awareness", + "id": "control-1080", + "title": "Encrypting particularly important data at rest", "parts": [ { - "id": "control-1083-stmt", + "id": "control-1080-stmt", "name": "statement", - "prose": "Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices." + "prose": "In addition to any encryption already in place, an AACA is used to encrypt AUSTEO and AGAO data when at rest on a system." } ] }, { - "id": "control-0240", - "title": "Paging and message services", + "id": "control-0455", + "title": "Data recovery", "parts": [ { - "id": "control-0240-stmt", + "id": "control-0455-stmt", "name": "statement", - "prose": "Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified data." + "prose": "Where practical, cryptographic equipment and encryption software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure." } ] }, { - "id": "control-0866", - "title": "Using mobile devices in public spaces", + "id": "control-0462", + "title": "Handling encrypted ICT equipment and media", "parts": [ { - "id": "control-0866-stmt", + "id": "control-0462-stmt", "name": "statement", - "prose": "Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed." + "prose": "When a user authenticates to encryption functionality for ICT equipment or media storing encrypted data, it is treated in accordance with its original sensitivity or classification until such a time that the user deauthenticates from the encryption functionality." } ] }, { - "id": "control-1145", - "title": "Using mobile devices in public spaces", + "id": "control-1162", + "title": "Encrypting data in transit", "parts": [ { - "id": "control-1145-stmt", + "id": "control-1162-stmt", "name": "statement", - "prose": "Privacy filters are applied to the screens of highly classified mobile devices." + "prose": "Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive data over public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-1644", - "title": "Using mobile devices in public spaces", + "id": "control-0465", + "title": "Encrypting data in transit", "parts": [ { - "id": "control-1644-stmt", + "id": "control-0465-stmt", "name": "statement", - "prose": "Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard." + "prose": "Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified data over official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0871", - "title": "Maintaining control of mobile devices", + "id": "control-0467", + "title": "Encrypting data in transit", "parts": [ { - "id": "control-0871-stmt", + "id": "control-0467-stmt", "name": "statement", - "prose": "Mobile devices are kept under continual direct supervision when being actively used." + "prose": "HACE is used to communicate highly classified data over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces." } ] }, { - "id": "control-0870", - "title": "Maintaining control of mobile devices", + "id": "control-0469", + "title": "Encrypting particularly important data in transit", "parts": [ { - "id": "control-0870-stmt", + "id": "control-0469-stmt", "name": "statement", - "prose": "Mobile devices are carried or stored in a secured state when not being actively used." + "prose": "In addition to any encryption already in place, an AACP is used to protect AUSTEO and AGAO data when communicated across network infrastructure." } ] - }, + } + ] + }, + { + "id": "asd_approved_cryptographic_protocols", + "title": "ASD Approved Cryptographic Protocols", + "controls": [ { - "id": "control-1084", - "title": "Carrying mobile devices", + "id": "control-0481", + "title": "Using ASD Approved Cryptographic Protocols", "parts": [ { - "id": "control-1084-stmt", + "id": "control-0481-stmt", "name": "statement", - "prose": "If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the data stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag." + "prose": "Only AACPs are used by cryptographic equipment and software." } ] - }, + } + ] + }, + { + "id": "internet_protocol_security", + "title": "Internet Protocol Security", + "controls": [ { - "id": "control-0701", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0494", + "title": "Mode of operation", "parts": [ { - "id": "control-0701-stmt", + "id": "control-0494-stmt", "name": "statement", - "prose": "A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented." + "prose": "Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used." } ] }, { - "id": "control-0702", - "title": "Mobile device emergency sanitisation process and procedures", + "id": "control-0496", + "title": "Protocol selection", "parts": [ { - "id": "control-0702-stmt", + "id": "control-0496-stmt", "name": "statement", - "prose": "If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process." + "prose": "The ESP protocol is used for IPsec connections." } ] }, { - "id": "control-1298", - "title": "Before travelling overseas with mobile devices", + "id": "control-1233", + "title": "Key exchange", "parts": [ { - "id": "control-1298-stmt", + "id": "control-1233-stmt", "name": "statement", - "prose": "Personnel are advised of privacy and security risks when travelling overseas with mobile devices." + "prose": "IKE is used for key exchange when establishing an IPsec connection." } ] }, { - "id": "control-1554", - "title": "Before travelling overseas with mobile devices", + "id": "control-0497", + "title": "Internet Security Association Key Management Protocol modes", "parts": [ { - "id": "control-1554-stmt", + "id": "control-0497-stmt", "name": "statement", - "prose": "If travelling overseas with mobile devices to high/extreme risk countries, personnel are:\n• issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities\n• advised on how to apply and inspect tamper seals to key areas of devices\n• advised to avoid taking any personal devices, especially if rooted or jailbroken." + "prose": "If using ISAKMP in IKE version 1, aggressive mode is disabled." } ] }, { - "id": "control-1555", - "title": "Before travelling overseas with mobile devices", + "id": "control-0498", + "title": "Security association lifetimes", "parts": [ { - "id": "control-1555-stmt", + "id": "control-0498-stmt", "name": "statement", - "prose": "Before travelling overseas with mobile devices, personnel take the following actions:\n• record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers\n• update all applications and operating systems\n• remove all non-essential accounts, applications and data\n• apply security configuration settings, such as lock screens\n• configure remote locate and wipe functionality\n• enable encryption, including for any media used\n• backup all important data and configuration settings." + "prose": "A security association lifetime of less than four hours, or 14400 seconds, is used." } ] }, { - "id": "control-1299", - "title": "While travelling overseas with mobile devices", + "id": "control-0998", + "title": "Hashed Message Authentication Code algorithms", "parts": [ { - "id": "control-1299-stmt", + "id": "control-0998-stmt", "name": "statement", - "prose": "Personnel take the following precautions when travelling overseas with mobile devices:\n• never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes\n• never storing credentials with devices that they grant access to, such as in laptop bags\n• never lending devices to untrusted people, even if briefly\n• never allowing untrusted people to connect other devices or media to their devices, including for charging\n• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people\n• avoiding connecting devices to open or untrusted Wi-Fi networks\n• using an approved Virtual Private Network to encrypt all device communications\n• using encrypted mobile applications for communications instead of using foreign telecommunication networks\n• disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication\n• avoiding reuse of media once used with other parties’ devices or systems\n• ensuring any media used for data transfers are thoroughly checked for malicious code beforehand\n• never using any gifted devices, especially media, when travelling or upon returning from travelling." + "prose": "HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm." } ] }, { - "id": "control-1088", - "title": "While travelling overseas with mobile devices", + "id": "control-0999", + "title": "Diffie-Hellman groups", "parts": [ { - "id": "control-1088-stmt", + "id": "control-0999-stmt", "name": "statement", - "prose": "Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:\n• provide credentials, decrypt devices or have devices taken out of sight by foreign government officials\n• have devices or media stolen that are later returned\n• lose devices or media that are later found\n• observe unusual behaviour of devices." + "prose": "The largest modulus size possible for all relevant components in the network is used when conducting a key exchange." } ] }, { - "id": "control-1300", - "title": "After travelling overseas with mobile devices", + "id": "control-1000", + "title": "Perfect Forward Secrecy", "parts": [ { - "id": "control-1300-stmt", + "id": "control-1000-stmt", "name": "statement", - "prose": "Upon returning from travelling overseas with mobile devices, personnel take the following actions:\n• sanitise and reset devices, including all media used with them\n• decommission any physical credentials that left their possession during their travel\n• report if significant doubt exists as to the integrity of any devices following their travel." + "prose": "PFS is used for IPsec connections." } ] }, { - "id": "control-1556", - "title": "After travelling overseas with mobile devices", + "id": "control-1001", + "title": "Internet Key Exchange Extended Authentication", "parts": [ { - "id": "control-1556-stmt", + "id": "control-1001-stmt", "name": "statement", - "prose": "If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:\n• reset user credentials used with devices, including those used for remote access to their organisation’s systems\n• monitor accounts for any indicators of compromise, such as failed login attempts." + "prose": "The use of XAuth is disabled for IPsec connections using IKE version 1." } ] } ] - }, + } + ] + }, + { + "id": "guidelines_for_personnel_security", + "title": "Guidelines for Personnel Security", + "groups": [ { - "id": "mobile_device_management", - "title": "Mobile device management", + "id": "cyber_security_awareness_training", + "title": "Cyber security awareness training", "controls": [ { - "id": "control-1533", - "title": "Mobile device management policy", + "id": "control-0252", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1533-stmt", + "id": "control-0252-stmt", "name": "statement", - "prose": "A mobile device management policy is developed and implemented." + "prose": "Cyber security awareness training is undertaken annually by all personnel and covers:\n• the purpose of the cyber security awareness training\n• security appointments and contacts within the organisation\n• authorised use of systems and their resources\n• protection of systems and their resources\n• reporting of cyber security incidents and suspected compromises of systems and their resources." } ] }, { - "id": "control-1195", - "title": "Mobile device management policy", + "id": "control-1565", + "title": "Providing cyber security awareness training", "parts": [ { - "id": "control-1195-stmt", + "id": "control-1565-stmt", "name": "statement", - "prose": "A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices." + "prose": "Tailored privileged user training is undertaken annually by all privileged users." } ] }, { - "id": "control-0687", - "title": "Approval for use", + "id": "control-0817", + "title": "Reporting suspicious contact via online services", "parts": [ { - "id": "control-0687-stmt", + "id": "control-0817-stmt", "name": "statement", - "prose": "Mobile devices do not process, store or communicate highly classified data until approved for use by the ACSC." + "prose": "Personnel are advised of what suspicious contact via online services is and how to report it." } ] }, { - "id": "control-1400", - "title": "Privately-owned mobile devices", + "id": "control-0820", + "title": "Posting work information to online services", "parts": [ { - "id": "control-1400-stmt", + "id": "control-0820-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or data using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified data from any personal data." + "prose": "Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted." } ] }, { - "id": "control-0694", - "title": "Privately-owned mobile devices", + "id": "control-1146", + "title": "Posting work information to online services", "parts": [ { - "id": "control-0694-stmt", + "id": "control-1146-stmt", "name": "statement", - "prose": "Privately-owned mobile devices do not access highly classified systems or data." + "prose": "Personnel are advised to maintain separate work and personal accounts for online services." } ] }, { - "id": "control-1297", - "title": "Seeking legal advice for privately-owned mobile devices", + "id": "control-0821", + "title": "Posting personal information to online services", "parts": [ { - "id": "control-1297-stmt", + "id": "control-0821-stmt", "name": "statement", - "prose": "Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or data." + "prose": "Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information." } ] }, { - "id": "control-1482", - "title": "Organisation-owned mobile devices", + "id": "control-0824", + "title": "Sending and receiving files via online services", "parts": [ { - "id": "control-1482-stmt", + "id": "control-0824-stmt", "name": "statement", - "prose": "Personnel accessing official or classified systems or data using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance." + "prose": "Personnel are advised not to send or receive files via unauthorised online services." + } + ] + } + ] + }, + { + "id": "access_to_systems_and_their_resources", + "title": "Access to systems and their resources", + "controls": [ + { + "id": "control-0432", + "title": "System access requirements", + "parts": [ + { + "id": "control-0432-stmt", + "name": "statement", + "prose": "Each system’s system security plan specifies any requirements for access to the system and its resources." } ] }, { - "id": "control-0869", - "title": "Mobile device storage encryption", + "id": "control-0434", + "title": "System access requirements", "parts": [ { - "id": "control-0869-stmt", + "id": "control-0434-stmt", "name": "statement", - "prose": "All data on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Personnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources." } ] }, { - "id": "control-1085", - "title": "Mobile device communications encryption", + "id": "control-0435", + "title": "System access requirements", "parts": [ { - "id": "control-1085-stmt", + "id": "control-0435-stmt", "name": "statement", - "prose": "Mobile devices used to communicate sensitive or classified data over public network infrastructure use encryption approved for communicating such data over public network infrastructure." + "prose": "Personnel receive any necessary briefings before being granted access to a system and its resources." } ] }, { - "id": "control-1202", - "title": "Mobile device Bluetooth functionality", + "id": "control-0414", + "title": "User identification", "parts": [ { - "id": "control-1202-stmt", + "id": "control-0414-stmt", "name": "statement", - "prose": "The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices." + "prose": "Personnel granted access to a system and its resources are uniquely identifiable." } ] }, { - "id": "control-0682", - "title": "Mobile device Bluetooth functionality", + "id": "control-0415", + "title": "User identification", "parts": [ { - "id": "control-0682-stmt", + "id": "control-0415-stmt", "name": "statement", - "prose": "Bluetooth functionality is not enabled on highly classified mobile devices." + "prose": "The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable." } ] }, { - "id": "control-1196", - "title": "Mobile device Bluetooth pairing", + "id": "control-1583", + "title": "User identification", "parts": [ { - "id": "control-1196-stmt", + "id": "control-1583-stmt", "name": "statement", - "prose": "Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing." + "prose": "Personnel who are contractors are identified as such." } ] }, { - "id": "control-1200", - "title": "Mobile device Bluetooth pairing", + "id": "control-0420", + "title": "User identification", "parts": [ { - "id": "control-1200-stmt", + "id": "control-0420-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed using Bluetooth version 2.1 or later." + "prose": "Where systems process, store or communicate AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality." } ] }, { - "id": "control-1198", - "title": "Mobile device Bluetooth pairing", + "id": "control-0405", + "title": "Unprivileged access to systems", "parts": [ { - "id": "control-1198-stmt", + "id": "control-0405-stmt", "name": "statement", - "prose": "Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices." + "prose": "Unprivileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis." } ] }, { - "id": "control-1199", - "title": "Mobile device Bluetooth pairing", + "id": "control-1503", + "title": "Unprivileged access to systems", "parts": [ { - "id": "control-1199-stmt", + "id": "control-1503-stmt", "name": "statement", - "prose": "Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use." + "prose": "Unprivileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties." } ] }, { - "id": "control-0863", - "title": "Configuration control", + "id": "control-1566", + "title": "Unprivileged access to systems", "parts": [ { - "id": "control-0863-stmt", + "id": "control-1566-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from installing or uninstalling applications once provisioned." + "prose": "The use of unprivileged accounts, and any activities undertaken with them, are monitored and audited." } ] }, { - "id": "control-0864", - "title": "Configuration control", + "id": "control-0409", + "title": "Unprivileged access to systems by foreign nationals", "parts": [ { - "id": "control-0864-stmt", + "id": "control-0409-stmt", "name": "statement", - "prose": "Mobile devices prevent personnel from disabling or modifying security functions once provisioned." + "prose": "Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective security controls are in place to ensure such data is not accessible to them." } ] }, { - "id": "control-1365", - "title": "Maintaining mobile device security", + "id": "control-0411", + "title": "Unprivileged access to systems by foreign nationals", "parts": [ { - "id": "control-1365-stmt", + "id": "control-0411-stmt", "name": "statement", - "prose": "Mobile carriers that are able to provide timely security updates for mobile devices are used." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective security controls are in place to ensure such data is not accessible to them." } ] }, { - "id": "control-1366", - "title": "Maintaining mobile device security", + "id": "control-1507", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1366-stmt", + "id": "control-1507-stmt", "name": "statement", - "prose": "Mobile devices are able to accept security updates from mobile carriers as soon as they become available." + "prose": "Requests for privileged access to systems and applications are validated when first requested." } ] }, { - "id": "control-0874", - "title": "Connecting mobile devices to the internet", + "id": "control-1647", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0874-stmt", + "id": "control-1647-stmt", "name": "statement", - "prose": "Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet." + "prose": "Privileged access to systems and applications is automatically disabled after 12 months unless revalidated." } ] }, { - "id": "control-0705", - "title": "Connecting mobile devices to the internet", + "id": "control-1648", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0705-stmt", + "id": "control-1648-stmt", "name": "statement", - "prose": "When accessing an organisation system via a VPN connection, split tunnelling is disabled." + "prose": "Privileged access to systems and applications is automatically disabled after 45 days of inactivity." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_communications_infrastructure", - "title": "Guidelines for Communications Infrastructure", - "groups": [ - { - "id": "cabling_infrastructure", - "title": "Cabling infrastructure", - "controls": [ + }, { - "id": "control-0181", - "title": "Cabling infrastructure standards", + "id": "control-1508", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0181-stmt", + "id": "control-1508-stmt", "name": "statement", - "prose": "Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority." + "prose": "Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties." } ] }, { - "id": "control-1111", - "title": "Use of fibre-optic cables", + "id": "control-1649", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1111-stmt", + "id": "control-1649-stmt", "name": "statement", - "prose": "Fibre-optic cables are used for cabling infrastructure instead of copper cables." + "prose": "Just-in-time administration is used for administering systems and applications." } ] }, { - "id": "control-0211", - "title": "Cable register", + "id": "control-0445", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0211-stmt", + "id": "control-0445-stmt", "name": "statement", - "prose": "A cable register is maintained and regularly audited." + "prose": "Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access." } ] }, { - "id": "control-0208", - "title": "Cable register", + "id": "control-1509", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0208-stmt", + "id": "control-1509-stmt", "name": "statement", - "prose": "A cable register contains the following for each cable:\n• cable identifier\n• cable colour\n• sensitivity/classification\n• source\n• destination\n• location\n• seal numbers (if applicable)." + "prose": "Use of privileged access is logged." } ] }, { - "id": "control-1645", - "title": "Floor plan diagrams", + "id": "control-1650", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1645-stmt", + "id": "control-1650-stmt", "name": "statement", - "prose": "Floor plan diagrams are maintained and regularly audited." + "prose": "Changes to privileged accounts and groups are logged." } ] }, { - "id": "control-1646", - "title": "Floor plan diagrams", + "id": "control-1651", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1646-stmt", + "id": "control-1651-stmt", "name": "statement", - "prose": "Floor plan diagrams contain the following:\n• cable paths (including ingress and egress points between floors)\n• cable reticulation system and conduit paths\n• floor concentration boxes\n• wall outlet boxes\n• network cabinets." + "prose": "Privileged access event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." } ] }, { - "id": "control-0206", - "title": "Cable labelling process and procedures", + "id": "control-1652", + "title": "Privileged access to systems", "parts": [ { - "id": "control-0206-stmt", + "id": "control-1652-stmt", "name": "statement", - "prose": "A cable labelling process, and supporting cable labelling procedures, is developed and implemented." + "prose": "Privileged account and group change event logs are centrally stored and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected." } ] }, { - "id": "control-1096", - "title": "Labelling cables", + "id": "control-1175", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1096-stmt", + "id": "control-1175-stmt", "name": "statement", - "prose": "Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable." + "prose": "Privileged user accounts are prevented from accessing the internet, email and web services." } ] }, { - "id": "control-1639", - "title": "Labelling building management cables", + "id": "control-1653", + "title": "Privileged access to systems", "parts": [ { - "id": "control-1639-stmt", + "id": "control-1653-stmt", "name": "statement", - "prose": "Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals." + "prose": "Privileged service accounts are prevented from accessing the internet, email and web services." } ] }, { - "id": "control-1640", - "title": "Labelling cables for foreign systems in Australian facilities", + "id": "control-0446", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-1640-stmt", + "id": "control-0446-stmt", "name": "statement", - "prose": "Cables for foreign systems installed in Australian facilities are labelled at inspection points." + "prose": "Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data." } ] }, { - "id": "control-0926", - "title": "Cable colours", + "id": "control-0447", + "title": "Privileged access to systems by foreign nationals", "parts": [ { - "id": "control-0926-stmt", + "id": "control-0447-stmt", "name": "statement", - "prose": "The cable colours in the following table are used (see source document for referenced table)." + "prose": "Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data." } ] }, { - "id": "control-1216", - "title": "Cable colour non-conformance", + "id": "control-0430", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1216-stmt", + "id": "control-0430-stmt", "name": "statement", - "prose": "Cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points." + "prose": "Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access." } ] }, { - "id": "control-1112", - "title": "Cable inspectability", + "id": "control-1591", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1112-stmt", + "id": "control-1591-stmt", "name": "statement", - "prose": "In non-shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities." } ] }, { - "id": "control-1118", - "title": "Cable inspectability", + "id": "control-1404", + "title": "Suspension of access to systems", "parts": [ { - "id": "control-1118-stmt", + "id": "control-1404-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "Access to systems, applications and data repositories is removed or suspended after one month of inactivity." } ] }, { - "id": "control-1119", - "title": "Cable inspectability", + "id": "control-0407", + "title": "Recording authorisation for personnel to access systems", "parts": [ { - "id": "control-1119-stmt", + "id": "control-0407-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, cables are fully inspectable for their entire length." + "prose": "A secure record is maintained for the life of each system covering:\n• all personnel authorised to access the system, and their user identification\n• who provided authorisation for access\n• when access was granted\n• the level of access that was granted\n• when access, and the level of access, was last reviewed\n• when the level of access was changed, and to what extent (if applicable)\n• when access was withdrawn (if applicable)." } ] }, { - "id": "control-1126", - "title": "Cable inspectability", + "id": "control-0441", + "title": "Temporary access to systems", "parts": [ { - "id": "control-1126-stmt", + "id": "control-0441-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas of shared non-government facilities, cables are inspectable at a minimum of five-metre intervals." + "prose": "When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only data required for them to undertake their duties." } ] }, { - "id": "control-0184", - "title": "Cable inspectability", + "id": "control-0443", + "title": "Temporary access to systems", "parts": [ { - "id": "control-0184-stmt", + "id": "control-0443-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, cables are fully inspectable for their entire length." + "prose": "Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information." } ] }, { - "id": "control-0187", - "title": "Common cable reticulation systems and conduits", + "id": "control-1610", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0187-stmt", + "id": "control-1610-stmt", "name": "statement", - "prose": "The cable groups in the following table are used (see source document for referenced table)." + "prose": "A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur." } ] }, { - "id": "control-0189", - "title": "Common cable reticulation systems and conduits", + "id": "control-1611", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0189-stmt", + "id": "control-1611-stmt", "name": "statement", - "prose": "Cables only carry a single cable group, unless each cable group belongs to a different subunit." + "prose": "Break glass accounts are only used when normal authentication processes cannot be used." } ] }, { - "id": "control-1114", - "title": "Common cable reticulation systems and conduits", + "id": "control-1612", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1114-stmt", + "id": "control-1612-stmt", "name": "statement", - "prose": "Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups." + "prose": "Break glass accounts are only used for specific authorised activities." } ] }, { - "id": "control-1130", - "title": "Enclosed cable reticulation systems", + "id": "control-1613", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1130-stmt", + "id": "control-1613-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are run in an enclosed cable reticulation system." + "prose": "Break glass accounts are monitored and audited for unauthorised use or modification." } ] }, { - "id": "control-1164", - "title": "Covers for enclosed cable reticulation systems", + "id": "control-1614", + "title": "Emergency access to systems", "parts": [ { - "id": "control-1164-stmt", + "id": "control-1614-stmt", "name": "statement", - "prose": "In shared non-government facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic." + "prose": "Break glass account credentials are changed by the account custodian after they are accessed by any other party." } ] }, { - "id": "control-0195", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-1615", + "title": "Emergency access to systems", "parts": [ { - "id": "control-0195-stmt", + "id": "control-1615-stmt", "name": "statement", - "prose": "In shared non-government facilities, uniquely identifiable SCEC endorsed tamper-evident seals are used to seal all removable covers on cable reticulation systems." + "prose": "Break glass accounts are tested after credentials are changed." } ] }, { - "id": "control-0194", - "title": "Sealing cable reticulation systems and conduits", + "id": "control-0078", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0194-stmt", + "id": "control-0078-stmt", "name": "statement", - "prose": "In shared non-government facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and conduit runs connected by threaded lock nuts." + "prose": "Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government." } ] }, { - "id": "control-0201", - "title": "Labelling conduits", + "id": "control-0854", + "title": "Control of Australian systems", "parts": [ { - "id": "control-0201-stmt", + "id": "control-0854-stmt", "name": "statement", - "prose": "Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ‘TS RUN’." + "prose": "Access to AUSTEO or AGAO data from systems not under the sole control of the Australian Government is prevented." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_database_systems", + "title": "Guidelines for Database Systems", + "groups": [ + { + "id": "database_servers", + "title": "Database servers", + "controls": [ { - "id": "control-1115", - "title": "Cables in walls", + "id": "control-1425", + "title": "Protecting database server contents", "parts": [ { - "id": "control-1115-stmt", + "id": "control-1425-stmt", "name": "statement", - "prose": "Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit." + "prose": "Hard disks of database servers are encrypted using full disk encryption." } ] }, { - "id": "control-1133", - "title": "Cables in party walls", + "id": "control-1269", + "title": "Functional separation between database servers and web servers", "parts": [ { - "id": "control-1133-stmt", + "id": "control-1269-stmt", "name": "statement", - "prose": "In shared non-government facilities, cables are not run in party walls." + "prose": "Database servers and web servers are functionally separated, physically or virtually." } ] }, { - "id": "control-1122", - "title": "Wall penetrations", + "id": "control-1277", + "title": "Communications between database servers and web servers", "parts": [ { - "id": "control-1122-stmt", + "id": "control-1277-stmt", "name": "statement", - "prose": "In shared government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Data communicated between database servers and web applications is encrypted." } ] }, { - "id": "control-1134", - "title": "Wall penetrations", + "id": "control-1270", + "title": "Network environment", "parts": [ { - "id": "control-1134-stmt", + "id": "control-1270-stmt", "name": "statement", - "prose": "In shared non-government facilities, where wall penetrations exit into a lower classified space, cables are encased in conduit with all gaps between the conduit and the wall filled with an appropriate sealing compound." + "prose": "Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations." } ] }, { - "id": "control-1104", - "title": "Wall outlet boxes", + "id": "control-1271", + "title": "Network environment", "parts": [ { - "id": "control-1104-stmt", + "id": "control-1271-stmt", "name": "statement", - "prose": "Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different classifications." + "prose": "Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks." } ] }, { - "id": "control-1105", - "title": "Wall outlet boxes", + "id": "control-1272", + "title": "Network environment", "parts": [ { - "id": "control-1105-stmt", + "id": "control-1272-stmt", "name": "statement", - "prose": "Different cables groups do not share a wall outlet box." + "prose": "If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface." } ] }, { - "id": "control-1095", - "title": "Labelling wall outlet boxes", + "id": "control-1273", + "title": "Separation of production, test and development database servers", "parts": [ { - "id": "control-1095-stmt", + "id": "control-1273-stmt", "name": "statement", - "prose": "Wall outlet boxes denote the classifications, cable identifiers and wall outlet box identifier." + "prose": "Test and development environments do not use the same database servers as production environments." } ] - }, + } + ] + }, + { + "id": "databases", + "title": "Databases", + "controls": [ { - "id": "control-1107", - "title": "Wall outlet box colours", + "id": "control-1243", + "title": "Database register", "parts": [ { - "id": "control-1107-stmt", + "id": "control-1243-stmt", "name": "statement", - "prose": "The wall outlet box colours in the following table are used (see source document for referenced table)." + "prose": "A database register is maintained and regularly audited." } ] }, { - "id": "control-1109", - "title": "Wall outlet box covers", + "id": "control-1256", + "title": "Protecting databases", "parts": [ { - "id": "control-1109-stmt", + "id": "control-1256-stmt", "name": "statement", - "prose": "Wall outlet box covers are clear plastic." + "prose": "File-based access controls are applied to database files." } ] }, { - "id": "control-0218", - "title": "Fly lead installation", + "id": "control-1252", + "title": "Protecting authentication credentials in databases", "parts": [ { - "id": "control-0218-stmt", + "id": "control-1252-stmt", "name": "statement", - "prose": "If fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet box’s identifier." + "prose": "Passphrases stored in databases are hashed with a uniquely salted Australian Signals Directorate Approved Cryptographic Algorithm." } ] }, { - "id": "control-1102", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-0393", + "title": "Protecting database contents", "parts": [ { - "id": "control-1102-stmt", + "id": "control-0393-stmt", "name": "statement", - "prose": "In non-TOP SECRET areas, cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet." + "prose": "Databases and their contents are classified based on the sensitivity or classification of data that they contain." } ] }, { - "id": "control-1101", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1255", + "title": "Protecting database contents", "parts": [ { - "id": "control-1101-stmt", + "id": "control-1255-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets in a secure communications or server room are terminated as close as possible to the cabinet." + "prose": "Database users’ ability to access, insert, modify and remove content in databases is restricted based on their work duties." } ] }, { - "id": "control-1103", - "title": "Connecting cable reticulation systems to cabinets", + "id": "control-1268", + "title": "Protecting database contents", "parts": [ { - "id": "control-1103-stmt", + "id": "control-1268-stmt", "name": "statement", - "prose": "In TOP SECRET areas, cable reticulation systems leading into cabinets not in a secure communications or server room are terminated at the boundary of the cabinet." + "prose": "The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles." } ] }, { - "id": "control-1098", - "title": "Terminating cables in cabinets", + "id": "control-1258", + "title": "Aggregation of database contents", "parts": [ { - "id": "control-1098-stmt", + "id": "control-1258-stmt", "name": "statement", - "prose": "Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups." + "prose": "Where concerns exist that the sum, or aggregation, of separate pieces of data from within databases could lead to a database user determining more sensitive or classified data, database views in combination with database user access roles are implemented." } ] }, { - "id": "control-1100", - "title": "Terminating cables in cabinets", + "id": "control-1274", + "title": "Separation of production, test and development databases", "parts": [ { - "id": "control-1100-stmt", + "id": "control-1274-stmt", "name": "statement", - "prose": "TOP SECRET cables are terminated in an individual TOP SECRET cabinet." + "prose": "Data in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment." } ] }, { - "id": "control-0213", - "title": "Terminating cable groups on patch panels", + "id": "control-1275", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0213-stmt", + "id": "control-1275-stmt", "name": "statement", - "prose": "Different cable groups do not terminate on the same patch panel." + "prose": "All queries to databases from web applications are filtered for legitimate content and correct syntax." } ] }, { - "id": "control-1116", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1276", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-1116-stmt", + "id": "control-1276-stmt", "name": "statement", - "prose": "There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications." + "prose": "Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries." } ] }, { - "id": "control-0216", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1278", + "title": "Web application interaction with databases", "parts": [ { - "id": "control-0216-stmt", + "id": "control-1278-stmt", "name": "statement", - "prose": "TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets." + "prose": "Web applications are designed to provide as little error information as possible to users about database schemas." } ] - }, + } + ] + }, + { + "id": "database_management_system_software", + "title": "Database management system software", + "controls": [ { - "id": "control-0217", - "title": "Physical separation of cabinets and patch panels", + "id": "control-1245", + "title": "Temporary installation files and logs", "parts": [ { - "id": "control-0217-stmt", + "id": "control-1245-stmt", "name": "statement", - "prose": "Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:\n• a physical barrier in the cabinet is provided to separate patch panels\n• only personnel holding a Positive Vetting security clearance have access to the cabinet\n• approval from the TOP SECRET system’s authorising officer is obtained prior to installation." + "prose": "All temporary installation files and logs are removed after DBMS software has been installed." } ] }, { - "id": "control-0198", - "title": "Audio secure spaces", + "id": "control-1246", + "title": "Hardening and configuration", "parts": [ { - "id": "control-0198-stmt", + "id": "control-1246-stmt", "name": "statement", - "prose": "When penetrating an audio secured space, ASIO is consulted and all directions provided are complied with." + "prose": "DBMS software is configured according to vendor guidance." } ] }, { - "id": "control-1123", - "title": "Power reticulation", + "id": "control-1247", + "title": "Hardening and configuration", "parts": [ { - "id": "control-1123-stmt", + "id": "control-1247-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed." } ] }, { - "id": "control-1135", - "title": "Power reticulation", + "id": "control-1249", + "title": "Restricting privileges", "parts": [ { - "id": "control-1135-stmt", + "id": "control-1249-stmt", "name": "statement", - "prose": "In TOP SECRET areas of shared non-government facilities, a power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment." + "prose": "DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions." } ] - } - ] - }, - { - "id": "emanation_security", - "title": "Emanation security", - "controls": [ + }, { - "id": "control-0247", - "title": "Emanation security threat assessments in Australia", + "id": "control-1250", + "title": "Restricting privileges", "parts": [ { - "id": "control-0247-stmt", + "id": "control-1250-stmt", "name": "statement", - "prose": "System owners deploying systems with Radio Frequency (RF) transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The account under which DBMS software runs has limited access to non-essential areas of the database server’s file system." } ] }, { - "id": "control-0248", - "title": "Emanation security threat assessments in Australia", + "id": "control-1251", + "title": "Restricting privileges", "parts": [ { - "id": "control-0248-stmt", + "id": "control-1251-stmt", "name": "statement", - "prose": "System owners deploying systems with RF transmitters that will be co-located with systems of a higher classification contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "The ability of DBMS software to read local files from a server is disabled." } ] }, { - "id": "control-1137", - "title": "Emanation security threat assessments in Australia", + "id": "control-1260", + "title": "Database administrator accounts", "parts": [ { - "id": "control-1137-stmt", + "id": "control-1260-stmt", "name": "statement", - "prose": "System owners deploying systems in shared facilities with non-Australian government entities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Default database administrator accounts are disabled, renamed or have their passphrases changed." } ] }, { - "id": "control-0932", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1262", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0932-stmt", + "id": "control-1262-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for emanation security threat advice and implement any additional installation criteria derived from the emanation security threat advice." + "prose": "Database administrators have unique and identifiable accounts." } ] }, { - "id": "control-0249", - "title": "Emanation security threat assessments outside Australia", + "id": "control-1261", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0249-stmt", + "id": "control-1261-stmt", "name": "statement", - "prose": "System owners deploying systems overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the emanation security threat assessment." + "prose": "Database administrator accounts are not shared across different databases." } ] }, { - "id": "control-0246", - "title": "Early identification of emanation security issues", + "id": "control-1263", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0246-stmt", + "id": "control-1263-stmt", "name": "statement", - "prose": "An emanation security threat assessment is sought as early as possible in a project’s life cycle as emanation security controls can have significant cost implications." + "prose": "Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases." } ] }, { - "id": "control-0250", - "title": "Industry and government standards", + "id": "control-1264", + "title": "Database administrator accounts", "parts": [ { - "id": "control-0250-stmt", + "id": "control-1264-stmt", "name": "statement", - "prose": "ICT equipment in TOP SECRET areas meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility." + "prose": "Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions." } ] } @@ -7683,1817 +7678,1822 @@ ] }, { - "id": "guidelines_for_ict_equipment", - "title": "Guidelines for ICT Equipment", + "id": "guidelines_for_gateways", + "title": "Guidelines for Gateways", "groups": [ { - "id": "ict_equipment_sanitisation_and_disposal", - "title": "ICT equipment sanitisation and disposal", + "id": "firewalls", + "title": "Firewalls", "controls": [ { - "id": "control-0313", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1528", + "title": "Using firewalls", "parts": [ { - "id": "control-0313-stmt", + "id": "control-1528-stmt", "name": "statement", - "prose": "An ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented." + "prose": "An evaluated firewall is used between official or classified networks and public network infrastructure." } ] }, { - "id": "control-1550", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0639", + "title": "Using firewalls", "parts": [ { - "id": "control-1550-stmt", + "id": "control-0639-stmt", "name": "statement", - "prose": "An ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented." + "prose": "An evaluated firewall is used between networks belonging to different security domains." } ] }, { - "id": "control-0311", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-1194", + "title": "Using firewalls", "parts": [ { - "id": "control-0311-stmt", + "id": "control-1194-stmt", "name": "statement", - "prose": "When disposing of ICT equipment containing media, the ICT equipment is sanitised by sanitising the media within the ICT equipment, removing the media from the ICT equipment or destroying the ICT equipment in its entirety." + "prose": "The requirement to use a firewall as part of gateway infrastructure is met by both parties independently; shared ICT equipment does not satisfy the requirements of both parties." } ] }, { - "id": "control-1217", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0641", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-1217-stmt", + "id": "control-0641-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate the ICT equipment with its original use, are removed prior to disposal." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and a foreign network." } ] }, { - "id": "control-0316", - "title": "ICT equipment sanitisation and disposal processes and procedures", + "id": "control-0642", + "title": "Firewalls for particularly important networks", "parts": [ { - "id": "control-0316-stmt", + "id": "control-0642-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision is made to handle ICT equipment, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "In addition to the firewall between networks of different security domains, an evaluated firewall is used between an AUSTEO or AGAO network and another Australian controlled network." } ] - }, + } + ] + }, + { + "id": "diodes", + "title": "Diodes", + "controls": [ { - "id": "control-0315", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0643", + "title": "Using diodes", "parts": [ { - "id": "control-0315-stmt", + "id": "control-0643-stmt", "name": "statement", - "prose": "When disposing of high assurance ICT equipment, it is destroyed prior to its disposal." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure." } ] }, { - "id": "control-0321", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-0645", + "title": "Using diodes", "parts": [ { - "id": "control-0321-stmt", + "id": "control-0645-stmt", "name": "statement", - "prose": "When disposing of ICT equipment that has been designed or modified to meet TEMPEST standards, the ACSC is contacted for requirements relating to its secure disposal." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure." } ] }, { - "id": "control-1218", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1157", + "title": "Using diodes", "parts": [ { - "id": "control-1218-stmt", + "id": "control-1157-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO data is sanitised in situ." + "prose": "An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks." } ] }, { - "id": "control-0312", - "title": "Sanitisation and disposal of highly sensitive ICT equipment", + "id": "control-1158", + "title": "Using diodes", "parts": [ { - "id": "control-0312-stmt", + "id": "control-1158-stmt", "name": "statement", - "prose": "ICT equipment, including associated media, that is located overseas and has processed or stored AUSTEO or AGAO data that cannot be sanitised in situ is returned to Australia for destruction." + "prose": "A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above." } ] }, { - "id": "control-0317", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0646", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-0317-stmt", + "id": "control-0646-stmt", "name": "statement", - "prose": "At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification." } ] }, { - "id": "control-1219", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0647", + "title": "Diodes for particularly important networks", "parts": [ { - "id": "control-1219-stmt", + "id": "control-0647-stmt", "name": "statement", - "prose": "MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or if a print is visible on the image transfer roller." + "prose": "An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification." } ] }, { - "id": "control-1220", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0648", + "title": "Volume checking", "parts": [ { - "id": "control-1220-stmt", + "id": "control-0648-stmt", "name": "statement", - "prose": "Printer and MFD platens are inspected and destroyed if any images are retained on the platen." + "prose": "A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred." + } + ] + } + ] + }, + { + "id": "content_filtering", + "title": "Content filtering", + "controls": [ + { + "id": "control-0659", + "title": "Content filtering", + "parts": [ + { + "id": "control-0659-stmt", + "name": "statement", + "prose": "When importing data into a security domain, by any means including a CDS, the data is filtered by a content filter designed for that purpose." } ] }, { - "id": "control-1221", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-1524", + "title": "Content filtering", "parts": [ { - "id": "control-1221-stmt", + "id": "control-1524-stmt", "name": "statement", - "prose": "Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed." } ] }, { - "id": "control-0318", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0651", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-0318-stmt", + "id": "control-0651-stmt", "name": "statement", - "prose": "When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices." + "prose": "All suspicious, malicious and active content is blocked from entering a security domain." } ] }, { - "id": "control-1534", - "title": "Sanitisation and disposal of printers and multifunction devices", + "id": "control-0652", + "title": "Active, malicious and suspicious content", "parts": [ { - "id": "control-1534-stmt", + "id": "control-0652-stmt", "name": "statement", - "prose": "Printer ribbons in printers and MFDs are removed and destroyed." + "prose": "Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator." } ] }, { - "id": "control-1076", - "title": "Sanitising televisions and computer monitors", + "id": "control-1389", + "title": "Automated dynamic analysis", "parts": [ { - "id": "control-1076-stmt", + "id": "control-1389-stmt", "name": "statement", - "prose": "Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time." + "prose": "Email and web content entering a security domain is automatically run in a dynamic malware analysis sandbox to detect suspicious behaviour." } ] }, { - "id": "control-1222", - "title": "Sanitising televisions and computer monitors", + "id": "control-1284", + "title": "Content validation", "parts": [ { - "id": "control-1222-stmt", + "id": "control-1284-stmt", "name": "statement", - "prose": "Televisions and computer monitors that cannot be sanitised are destroyed." + "prose": "Content validation is performed on all data passing through a content filter with content which fails content validation blocked." } ] }, { - "id": "control-1223", - "title": "Sanitising network devices", + "id": "control-1286", + "title": "Content conversion and transformation", "parts": [ { - "id": "control-1223-stmt", + "id": "control-1286-stmt", "name": "statement", - "prose": "Memory in network devices is sanitised using the following processes, in order of preference:\n• following device-specific guidance provided by evaluated product documentation\n• following vendor sanitisation guidance\n• loading a dummy configuration file, performing a factory reset and then reinstalling firmware." + "prose": "Content conversion is performed for all ingress or egress data transiting a security domain boundary." } ] }, { - "id": "control-1225", - "title": "Sanitising fax machines", + "id": "control-1287", + "title": "Content sanitisation", "parts": [ { - "id": "control-1225-stmt", + "id": "control-1287-stmt", "name": "statement", - "prose": "The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed." + "prose": "Content sanitisation is performed on suitable file types if content conversion is not appropriate for data transiting a security domain boundary." } ] }, { - "id": "control-1226", - "title": "Sanitising fax machines", + "id": "control-1288", + "title": "Antivirus scanning", "parts": [ { - "id": "control-1226-stmt", + "id": "control-1288-stmt", "name": "statement", - "prose": "Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam." + "prose": "Antivirus scanning, using multiple different scanning engines, is performed on all content." } ] - } - ] - }, - { - "id": "ict_equipment_maintenance_and_repairs", - "title": "ICT equipment maintenance and repairs", - "controls": [ + }, { - "id": "control-1079", - "title": "Maintenance and repairs of high assurance ICT equipment", + "id": "control-1289", + "title": "Archive and container files", "parts": [ { - "id": "control-1079-stmt", + "id": "control-1289-stmt", "name": "statement", - "prose": "The ACSC’s approval is sought before undertaking any repairs to high assurance ICT equipment." + "prose": "The contents from archive/container files are extracted and subjected to content filter checks." } ] }, { - "id": "control-0305", - "title": "On-site maintenance and repairs", + "id": "control-1290", + "title": "Archive and container files", "parts": [ { - "id": "control-0305-stmt", + "id": "control-1290-stmt", "name": "statement", - "prose": "Maintenance and repairs of ICT equipment is carried out on-site by an appropriately cleared technician." + "prose": "Controlled inspection of archive/container files is performed to ensure that content filter performance or availability is not adversely affected." } ] }, { - "id": "control-0307", - "title": "On-site maintenance and repairs", + "id": "control-1291", + "title": "Archive and container files", "parts": [ { - "id": "control-0307-stmt", + "id": "control-1291-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken." + "prose": "Files that cannot be inspected are blocked and generate an alert or notification." } ] }, { - "id": "control-0306", - "title": "On-site maintenance and repairs", + "id": "control-0649", + "title": "Allowing access to specific content types", "parts": [ { - "id": "control-0306-stmt", + "id": "control-0649-stmt", "name": "statement", - "prose": "If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:\n• is appropriately cleared and briefed\n• takes due care to ensure that data is not disclosed\n• takes all responsible measures to ensure the integrity of the ICT equipment\n• has the authority to direct the technician\n• is sufficiently familiar with the ICT equipment to understand the work being performed." + "prose": "A list of allowed content types is implemented." } ] }, { - "id": "control-0310", - "title": "Off-site maintenance and repairs", + "id": "control-1292", + "title": "Data integrity", "parts": [ { - "id": "control-0310-stmt", + "id": "control-1292-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is done so in accordance with the handling requirements for the sensitivity or classification of the ICT equipment." + "prose": "The integrity of content is verified where applicable and blocked if verification fails." } ] }, { - "id": "control-0944", - "title": "Maintenance and repair of ICT equipment from secured spaces", + "id": "control-0677", + "title": "Data integrity", "parts": [ { - "id": "control-0944-stmt", + "id": "control-0677-stmt", "name": "statement", - "prose": "ICT equipment maintained or repaired off-site is treated as per the requirements for the sensitivity or classification of the area that the ICT equipment will be returned to." + "prose": "If data is signed, the signature is validated before the data is exported." } ] }, { - "id": "control-1598", - "title": "Inspection of ICT equipment following maintenance and repairs", + "id": "control-1293", + "title": "Encrypted data", "parts": [ { - "id": "control-1598-stmt", + "id": "control-1293-stmt", "name": "statement", - "prose": "Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place." + "prose": "All encrypted content, traffic and data is decrypted and inspected to allow content filtering." } ] } ] }, { - "id": "ict_equipment_usage", - "title": "ICT equipment usage", + "id": "cross_domain_solutions", + "title": "Cross Domain Solutions", "controls": [ { - "id": "control-1551", - "title": "ICT equipment management policy", + "id": "control-0626", + "title": "When to implement a Cross Domain Solution", "parts": [ { - "id": "control-1551-stmt", + "id": "control-0626-stmt", "name": "statement", - "prose": "An ICT equipment management policy is developed and implemented." + "prose": "When connecting a highly classified network to any other network from a different security domain, a CDS is implemented." } ] }, { - "id": "control-0336", - "title": "ICT equipment register", + "id": "control-0597", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0336-stmt", + "id": "control-0597-stmt", "name": "statement", - "prose": "An ICT equipment register is maintained and regularly audited." + "prose": "When designing and deploying a CDS, the ACSC is notified and consulted; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0293", - "title": "Classifying ICT equipment", + "id": "control-0627", + "title": "Consultation when implementing or modifying a Cross Domain Solution", "parts": [ { - "id": "control-0293-stmt", + "id": "control-0627-stmt", "name": "statement", - "prose": "ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating." + "prose": "When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with." } ] }, { - "id": "control-0294", - "title": "Labelling ICT equipment", + "id": "control-0635", + "title": "Separation of data flows", "parts": [ { - "id": "control-0294-stmt", + "id": "control-0635-stmt", "name": "statement", - "prose": "ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "A CDS between a highly classified network and any other network implements isolated upward and downward network paths." } ] }, { - "id": "control-0296", - "title": "Labelling high assurance ICT equipment", + "id": "control-1521", + "title": "Separation of data flows", "parts": [ { - "id": "control-0296-stmt", + "id": "control-1521-stmt", "name": "statement", - "prose": "The Australian Cyber Security Centre (ACSC)’s approval is sought before applying labels to external surfaces of high assurance ICT equipment." + "prose": "A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model." } ] }, { - "id": "control-1599", - "title": "Handling ICT equipment", + "id": "control-1522", + "title": "Separation of data flows", "parts": [ { - "id": "control-1599-stmt", + "id": "control-1522-stmt", "name": "statement", - "prose": "ICT equipment is handled in a manner suitable for its sensitivity or classification." + "prose": "A CDS between a highly classified network and any other network implements content filtering and separate independent security-enforcing components for upward and downward data flows." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_physical_security", - "title": "Guidelines for Physical Security", - "groups": [ - { - "id": "ict_equipment_and_media", - "title": "ICT equipment and media", - "controls": [ + }, { - "id": "control-0161", - "title": "Securing ICT equipment and media", + "id": "control-0670", + "title": "Event logging", "parts": [ { - "id": "control-0161-stmt", + "id": "control-0670-stmt", "name": "statement", - "prose": "ICT equipment and media are secured when not in use." + "prose": "All security-relevant events generated by a CDS are logged and regularly analysed." } ] - } - ] - }, - { - "id": "facilities_and_systems", - "title": "Facilities and systems", - "controls": [ + }, { - "id": "control-0810", - "title": "Facilities containing systems", + "id": "control-1523", + "title": "Event logging", "parts": [ { - "id": "control-0810-stmt", + "id": "control-1523-stmt", "name": "statement", - "prose": "Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system." + "prose": "A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains." } ] }, { - "id": "control-1053", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0610", + "title": "User training", "parts": [ { - "id": "control-1053-stmt", + "id": "control-0610-stmt", "name": "statement", - "prose": "Servers and network devices are secured in server rooms or communications rooms that meet the requirements for a Security Zone or secure room suitable for their sensitivity or classification." + "prose": "Users are trained on the secure use of a CDS before access to the CDS is granted." } ] - }, + } + ] + }, + { + "id": "web_proxies", + "title": "Web proxies", + "controls": [ { - "id": "control-1530", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0258", + "title": "Web usage policy", "parts": [ { - "id": "control-1530-stmt", + "id": "control-0258-stmt", "name": "statement", - "prose": "Servers and network devices are secured in lockable commercial cabinets or security containers suitable for their sensitivity or classification taking into account protection afforded by the Security Zone or secure room they reside in." + "prose": "A web usage policy is developed and implemented." } ] }, { - "id": "control-0813", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0260", + "title": "Using web proxies", "parts": [ { - "id": "control-0813-stmt", + "id": "control-0260-stmt", "name": "statement", - "prose": "Server rooms, communications rooms and security containers are not left in unsecured states." + "prose": "All web access, including that by internal servers, is conducted through a web proxy." } ] }, { - "id": "control-1074", - "title": "Server rooms, communications rooms and security containers", + "id": "control-0261", + "title": "Web proxy authentication and logging", "parts": [ { - "id": "control-1074-stmt", + "id": "control-0261-stmt", "name": "statement", - "prose": "Keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled." + "prose": "A web proxy authenticates users and provides logging that includes the following details about websites accessed:\n• address (uniform resource locator)\n• time/date\n• user\n• amount of data uploaded and downloaded\n• internal and external IP addresses." } ] - }, + } + ] + }, + { + "id": "web_content_filters", + "title": "Web content filters", + "controls": [ { - "id": "control-0157", - "title": "Network infrastructure", + "id": "control-0963", + "title": "Using web content filters", "parts": [ { - "id": "control-0157-stmt", + "id": "control-0963-stmt", "name": "statement", - "prose": "Data communicated over network infrastructure in areas not authorised for the processing of such data is encrypted as if it was communicated through unsecured spaces." + "prose": "A web content filter is used to filter potentially harmful web-based content." } ] }, { - "id": "control-1296", - "title": "Controlling physical access to network devices", + "id": "control-0961", + "title": "Using web content filters", "parts": [ { - "id": "control-1296-stmt", + "id": "control-0961-stmt", "name": "statement", - "prose": "Physical security controls are implemented to protect network devices, especially those in public areas, from physical damage or unauthorised access." + "prose": "Client-side active content, such as Java, is restricted to a list of allowed websites." } ] }, { - "id": "control-1543", - "title": "Bringing Radio Frequency and infrared devices into facilities", + "id": "control-1237", + "title": "Using web content filters", "parts": [ { - "id": "control-1543-stmt", + "id": "control-1237-stmt", "name": "statement", - "prose": "An authorised RF and IR device register is maintained and regularly audited for SECRET and TOP SECRET areas." + "prose": "Web content filtering controls are applied to outbound web traffic where appropriate." } ] }, { - "id": "control-0225", - "title": "Bringing Radio Frequency and infrared devices into facilities", + "id": "control-0263", + "title": "Transport Layer Security filtering", "parts": [ { - "id": "control-0225-stmt", + "id": "control-0263-stmt", "name": "statement", - "prose": "Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas." + "prose": "For TLS traffic communicated through internet gateways, either of the following approaches are implemented:\n• a solution that decrypts and inspects all TLS traffic as per content filtering security controls\n• a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls." } ] }, { - "id": "control-0829", - "title": "Bringing Radio Frequency and infrared devices into facilities", + "id": "control-0996", + "title": "Inspection of Transport Layer Security traffic", "parts": [ { - "id": "control-0829-stmt", + "id": "control-0996-stmt", "name": "statement", - "prose": "Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas." + "prose": "Legal advice is sought regarding the inspection of TLS traffic by internet gateways." } ] }, { - "id": "control-0164", - "title": "Preventing observation by unauthorised people", + "id": "control-0958", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0164-stmt", + "id": "control-0958-stmt", "name": "statement", - "prose": "Unauthorised people are prevented from observing systems, in particular, workstation displays and keyboards." + "prose": "A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_data_transfers", - "title": "Guidelines for Data Transfers", - "groups": [ - { - "id": "data_transfers", - "title": "Data transfers", - "controls": [ + }, { - "id": "control-0663", - "title": "Data transfer process and procedures", + "id": "control-1170", + "title": "Allowing access to specific websites", "parts": [ { - "id": "control-0663-stmt", + "id": "control-1170-stmt", "name": "statement", - "prose": "A data transfer process, and supporting data transfer procedures, is developed and implemented." + "prose": "If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead." } ] }, { - "id": "control-0661", - "title": "User responsibilities", + "id": "control-0959", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0661-stmt", + "id": "control-0959-stmt", "name": "statement", - "prose": "Users transferring data to and from a system are held accountable for the data they transfer." + "prose": "If a list of allowed websites is not implemented, a list of blocked websites is implemented instead." } ] }, { - "id": "control-0665", - "title": "Trusted sources", + "id": "control-0960", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0665-stmt", + "id": "control-0960-stmt", "name": "statement", - "prose": "Trusted sources are limited to people and systems that have been authorised as such by an organisation’s CISO." + "prose": "If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective." } ] }, { - "id": "control-0664", - "title": "Data transfer approval", + "id": "control-1171", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0664-stmt", + "id": "control-1171-stmt", "name": "statement", - "prose": "All data transferred to a system of a lesser sensitivity or classification is reviewed and approved by a trusted source." + "prose": "Attempts to access a website through its IP address instead of through its domain name are blocked." } ] }, { - "id": "control-0675", - "title": "Data transfer approval", + "id": "control-1236", + "title": "Blocking access to specific websites", "parts": [ { - "id": "control-0675-stmt", + "id": "control-1236-stmt", "name": "statement", - "prose": "A trusted source signs all data authorised for export from a system." + "prose": "Dynamic domains and other domains where domain names can be registered anonymously for free are blocked." } ] - }, + } + ] + }, + { + "id": "peripheral_switches", + "title": "Peripheral switches", + "controls": [ { - "id": "control-0657", - "title": "Import of data", + "id": "control-0591", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0657-stmt", + "id": "control-0591-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official and classified systems." } ] }, { - "id": "control-0658", - "title": "Import of data", + "id": "control-1480", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0658-stmt", + "id": "control-1480-stmt", "name": "statement", - "prose": "Data imported to a system is scanned for malicious and active content, undergoes data format checks and logging, and is monitored to detect overuse/unusual usage patterns." + "prose": "A high assurance peripheral switch is used when sharing peripherals between official or classified systems and highly classified systems." } ] }, { - "id": "control-1187", - "title": "Export of data", + "id": "control-1457", + "title": "Using peripheral switches", "parts": [ { - "id": "control-1187-stmt", + "id": "control-1457-stmt", "name": "statement", - "prose": "When exporting data, protective marking checks are undertaken." + "prose": "An evaluated, preferably high assurance, peripheral switch is used when sharing peripherals between systems of different classifications." } ] }, { - "id": "control-0669", - "title": "Export of data", + "id": "control-0593", + "title": "Using peripheral switches", "parts": [ { - "id": "control-0669-stmt", + "id": "control-0593-stmt", "name": "statement", - "prose": "When exporting data, the following activities are undertaken:\n• protective marking checks\n• data format checks and logging\n• monitoring to detect overuse/unusual usage patterns\n• limitations on data types and sizes\n• keyword searches on all textual data." + "prose": "An evaluated peripheral switch is used when sharing peripherals between official systems, or classified systems at the same classification, that belong to different security domains." } ] }, { - "id": "control-1535", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0594", + "title": "Peripheral switches for particularly important systems", "parts": [ { - "id": "control-1535-stmt", + "id": "control-0594-stmt", "name": "statement", - "prose": "A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems." + "prose": "An evaluated peripheral switch is used when accessing a system containing AUSTEO or AGAO data and a system of the same classification that is not authorised to process the same caveat." } ] - }, + } + ] + }, + { + "id": "gateways", + "title": "Gateways", + "controls": [ { - "id": "control-0678", - "title": "Preventing export of particularly important data to foreign systems", + "id": "control-0628", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0678-stmt", + "id": "control-0628-stmt", "name": "statement", - "prose": "When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator." + "prose": "All systems are protected from systems in other security domains by one or more gateways." } ] }, { - "id": "control-1586", - "title": "Monitoring data import and export", + "id": "control-1192", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1586-stmt", + "id": "control-1192-stmt", "name": "statement", - "prose": "Data transfer logs are used to record all data imports and exports from systems." + "prose": "All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model." } ] }, { - "id": "control-1294", - "title": "Monitoring data import and export", + "id": "control-0631", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-1294-stmt", + "id": "control-0631-stmt", "name": "statement", - "prose": "Data transfer logs are partially audited at least monthly." + "prose": "Gateways:\n• are the only communications paths into and out of internal networks\n• allow only explicitly authorised connections\n• are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)\n• log all physical and logical access to their components\n• are configured to save logs to a secure logging facility\n• have all security controls tested to verify their effectiveness after any changes to their configuration." } ] }, { - "id": "control-0660", - "title": "Monitoring data import and export", + "id": "control-1427", + "title": "Gateway architecture and configuration", "parts": [ { - "id": "control-0660-stmt", + "id": "control-1427-stmt", "name": "statement", - "prose": "Data transfer logs are fully audited at least monthly." + "prose": "Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_media", - "title": "Guidelines for Media", - "groups": [ - { - "id": "media_destruction", - "title": "Media destruction", - "controls": [ + }, { - "id": "control-0363", - "title": "Media destruction process and procedures", + "id": "control-0634", + "title": "Gateway operation", "parts": [ { - "id": "control-0363-stmt", + "id": "control-0634-stmt", "name": "statement", - "prose": "A media destruction process, and supporting media destruction procedures, is developed and implemented." + "prose": "All gateways connecting networks in different security domains are operated such that they:\n• log network traffic permitted through the gateway\n• log network traffic attempting to leave the gateway\n• are configured to save event logs to a secure logging facility\n• provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns." } ] }, { - "id": "control-0350", - "title": "Media that cannot be sanitised", + "id": "control-0637", + "title": "Demilitarised zones", "parts": [ { - "id": "control-0350-stmt", + "id": "control-0637-stmt", "name": "statement", - "prose": "The following media types are destroyed prior to disposal as they cannot be sanitised:\n• microfiche and microfilm\n• optical discs\n• programmable read-only memory\n• read-only memory\n• other types of media that cannot be sanitised\n• faulty media that cannot be successfully sanitised." + "prose": "Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones." } ] }, { - "id": "control-1361", - "title": "Media destruction equipment", + "id": "control-1037", + "title": "Gateway testing", "parts": [ { - "id": "control-1361-stmt", + "id": "control-1037-stmt", "name": "statement", - "prose": "SCEC or ASIO approved equipment is used when destroying media." + "prose": "Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls." } ] }, { - "id": "control-1160", - "title": "Media destruction equipment", + "id": "control-0611", + "title": "Gateway administration", "parts": [ { - "id": "control-1160-stmt", + "id": "control-0611-stmt", "name": "statement", - "prose": "If using degaussers to destroy media, degaussers evaluated by the United States’ National Security Agency are used." + "prose": "Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely." } ] }, { - "id": "control-1517", - "title": "Media destruction methods", + "id": "control-0612", + "title": "Gateway administration", "parts": [ { - "id": "control-1517-stmt", + "id": "control-0612-stmt", "name": "statement", - "prose": "Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm." + "prose": "System administrators are formally trained to manage gateways." } ] }, { - "id": "control-0366", - "title": "Media destruction methods", + "id": "control-1520", + "title": "Gateway administration", "parts": [ { - "id": "control-0366-stmt", + "id": "control-1520-stmt", "name": "statement", - "prose": "One of the methods in the following table is used to destroy media (see source document for referenced table)." + "prose": "All system administrators of gateways are cleared to access the highest level of data communicated or processed by the gateway." } ] }, { - "id": "control-0368", - "title": "Treatment of media waste particles", + "id": "control-0613", + "title": "Gateway administration", "parts": [ { - "id": "control-0368-stmt", + "id": "control-0613-stmt", "name": "statement", - "prose": "The resulting waste for all destruction methods, except for furnace/incinerator and degausser, is stored and handled as per the following table (see source document for referenced table)." + "prose": "All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) data are Australian nationals." } ] }, { - "id": "control-0361", - "title": "Degaussing magnetic media", + "id": "control-0616", + "title": "Gateway administration", "parts": [ { - "id": "control-0361-stmt", + "id": "control-0616-stmt", "name": "statement", - "prose": "A degausser of sufficient field strength for the coercivity of the magnetic media is used, with the field strength being checked at regular intervals." + "prose": "Roles for the administration of gateways are separated." } ] }, { - "id": "control-0838", - "title": "Degaussing magnetic media", + "id": "control-0629", + "title": "Gateway administration", "parts": [ { - "id": "control-0838-stmt", + "id": "control-0629-stmt", "name": "statement", - "prose": "A degausser capable of the magnetic orientation (longitudinal or perpendicular) of the magnetic media is used." + "prose": "For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party." } ] }, { - "id": "control-0362", - "title": "Degaussing magnetic media", + "id": "control-0607", + "title": "Shared ownership of gateways", "parts": [ { - "id": "control-0362-stmt", + "id": "control-0607-stmt", "name": "statement", - "prose": "Any product-specific directions provided by degausser manufacturers are followed." + "prose": "Once connectivity is established, system owners become stakeholders for all connected security domains." } ] }, { - "id": "control-1641", - "title": "Degaussing magnetic media", + "id": "control-0619", + "title": "Gateway authentication", "parts": [ { - "id": "control-1641-stmt", + "id": "control-0619-stmt", "name": "statement", - "prose": "Following destruction of magnetic media using a degausser, the magnetic media is physically damaged by deforming the internal platters by any means prior to disposal." + "prose": "Users and services accessing networks through gateways are authenticated." } ] }, { - "id": "control-0370", - "title": "Supervision of destruction", + "id": "control-0620", + "title": "Gateway authentication", "parts": [ { - "id": "control-0370-stmt", + "id": "control-0620-stmt", "name": "statement", - "prose": "The destruction of media is performed under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed." + "prose": "Only users and services authenticated and authorised to a gateway can use the gateway." } ] }, { - "id": "control-0371", - "title": "Supervision of destruction", + "id": "control-1039", + "title": "Gateway authentication", "parts": [ { - "id": "control-0371-stmt", + "id": "control-1039-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of media supervise the handling of the media to the point of destruction and ensure that the destruction is completed successfully." + "prose": "Multi-factor authentication is used for access to gateways." } ] }, { - "id": "control-0372", - "title": "Supervision of accountable material destruction", + "id": "control-0622", + "title": "ICT equipment authentication", "parts": [ { - "id": "control-0372-stmt", + "id": "control-0622-stmt", "name": "statement", - "prose": "The destruction of accountable material is performed under the supervision of at least two personnel cleared to the sensitivity or classification of the media being destroyed." + "prose": "ICT equipment accessing networks through gateways is authenticated." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_communications_systems", + "title": "Guidelines for Communications Systems", + "groups": [ + { + "id": "video_conferencing_and_internet_protocol_telephony", + "title": "Video conferencing and Internet Protocol telephony", + "controls": [ { - "id": "control-0373", - "title": "Supervision of accountable material destruction", + "id": "control-1562", + "title": "Video conferencing and Internet Protocol telephony infrastructure hardening", "parts": [ { - "id": "control-0373-stmt", + "id": "control-1562-stmt", "name": "statement", - "prose": "Personnel supervising the destruction of accountable media supervise the handling of the material to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards." + "prose": "Video conferencing and IP telephony infrastructure is hardened." } ] }, { - "id": "control-0840", - "title": "Outsourcing media destruction", + "id": "control-0546", + "title": "Video and voice-aware firewalls", "parts": [ { - "id": "control-0840-stmt", + "id": "control-0546-stmt", "name": "statement", - "prose": "When outsourcing the destruction of media to an external destruction service, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIO’s PSC-167, is used." + "prose": "Where a requirement exists to implement a firewall in a gateway, and video conferencing or IP telephony traffic passes through the gateway, a video or voice-aware firewall is used." } ] }, { - "id": "control-0839", - "title": "Outsourcing media destruction", + "id": "control-0547", + "title": "Protecting video conferencing and Internet Protocol telephony traffic", "parts": [ { - "id": "control-0839-stmt", + "id": "control-0547-stmt", "name": "statement", - "prose": "The destruction of TOP SECRET media or accountable material is not outsourced." + "prose": "Video conferencing and IP telephony signalling and data is encrypted." } ] - } - ] - }, - { - "id": "media_usage", - "title": "Media usage", - "controls": [ + }, { - "id": "control-1549", - "title": "Media management policy", + "id": "control-0548", + "title": "Establishment of secure signalling and data protocols", "parts": [ { - "id": "control-1549-stmt", + "id": "control-0548-stmt", "name": "statement", - "prose": "A media management policy is developed and implemented." + "prose": "Video conferencing and IP telephony functions are established using secure signalling and data protocols." } ] }, { - "id": "control-1359", - "title": "Removable media usage policy", + "id": "control-0554", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1359-stmt", + "id": "control-0554-stmt", "name": "statement", - "prose": "A removable media usage policy is developed and implemented." + "prose": "An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation." } ] }, { - "id": "control-1713", - "title": "Removable media register", + "id": "control-0553", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-1713-stmt", + "id": "control-0553-stmt", "name": "statement", - "prose": "A removable media register is maintained and regularly audited." + "prose": "Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings." } ] }, { - "id": "control-0323", - "title": "Classifying media", + "id": "control-0555", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0323-stmt", + "id": "control-0555-stmt", "name": "statement", - "prose": "Media is classified to the highest sensitivity or classification of data stored on the media, unless the media has been classified to a higher sensitivity or classification." + "prose": "Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail." } ] }, { - "id": "control-0325", - "title": "Reclassifying media", + "id": "control-0551", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0325-stmt", + "id": "control-0551-stmt", "name": "statement", - "prose": "Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured." + "prose": "IP telephony is configured such that:\n• IP phones authenticate themselves to the call controller upon registration\n• auto-registration is disabled and only authorised devices are allowed to access the network\n• unauthorised devices are blocked by default\n• all unused and prohibited functionality is disabled." } ] }, { - "id": "control-0330", - "title": "Reclassifying media", + "id": "control-1014", + "title": "Video conferencing unit and Internet Protocol phone authentication", "parts": [ { - "id": "control-0330-stmt", + "id": "control-1014-stmt", "name": "statement", - "prose": "In order to reclassify media to a lower sensitivity or classification, the media is sanitised (unless the media is read-only) and a formal administrative decision (in consultation with data owners) is made to reclassify the media." + "prose": "Individual logins are used for IP phones." } ] }, { - "id": "control-0831", - "title": "Handling media", + "id": "control-0549", + "title": "Traffic separation", "parts": [ { - "id": "control-0831-stmt", + "id": "control-0549-stmt", "name": "statement", - "prose": "Media is handled in a manner suitable for its sensitivity or classification." + "prose": "Video conferencing and IP telephony traffic is separated physically or logically from other data traffic." } ] }, { - "id": "control-1059", - "title": "Handling media", + "id": "control-0556", + "title": "Traffic separation", "parts": [ { - "id": "control-1059-stmt", + "id": "control-0556-stmt", "name": "statement", - "prose": "Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm." + "prose": "Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses VLANs or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic." } ] }, { - "id": "control-0332", - "title": "Labelling media", + "id": "control-1015", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-0332-stmt", + "id": "control-1015-stmt", "name": "statement", - "prose": "Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification." + "prose": "Traditional analog phones are used in public areas." } ] }, { - "id": "control-1600", - "title": "Connecting media to systems", + "id": "control-0558", + "title": "Internet Protocol phones in public areas", "parts": [ { - "id": "control-1600-stmt", + "id": "control-0558-stmt", "name": "statement", - "prose": "Media is sanitised before it is used for the first time." + "prose": "If IP phones are used in public areas, their ability to access data networks, voicemail and directory services are prevented." } ] }, { - "id": "control-1642", - "title": "Connecting media to systems", + "id": "control-0559", + "title": "Microphones and webcams", "parts": [ { - "id": "control-1642-stmt", + "id": "control-0559-stmt", "name": "statement", - "prose": "Media is sanitised before it is reused in a different security domain." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas." } ] }, { - "id": "control-0337", - "title": "Connecting media to systems", + "id": "control-1450", + "title": "Microphones and webcams", "parts": [ { - "id": "control-0337-stmt", + "id": "control-1450-stmt", "name": "statement", - "prose": "Media is only used with systems that are authorised to process, store or communicate the sensitivity or classification of the media." + "prose": "Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas." } ] }, { - "id": "control-0341", - "title": "Connecting media to systems", + "id": "control-1019", + "title": "Developing a denial of service response plan", "parts": [ { - "id": "control-0341-stmt", + "id": "control-1019-stmt", "name": "statement", - "prose": "Any automatic execution features for media are disabled in the operating system of systems." + "prose": "A denial of service response plan is developed and implemented that includes:\n• how to identify signs of a denial of service\n• how to identify the source of a denial of service\n• how capabilities can be maintained during a denial of service\n• what actions can be taken to clear a denial of service." } ] - }, + } + ] + }, + { + "id": "telephone_systems", + "title": "Telephone systems", + "controls": [ { - "id": "control-0342", - "title": "Connecting media to systems", + "id": "control-1078", + "title": "Telephone systems usage policy", "parts": [ { - "id": "control-0342-stmt", + "id": "control-1078-stmt", "name": "statement", - "prose": "Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports or by physical means." + "prose": "A telephone systems usage policy is developed and implemented." } ] }, { - "id": "control-0343", - "title": "Connecting media to systems", + "id": "control-0229", + "title": "Personnel awareness", "parts": [ { - "id": "control-0343-stmt", + "id": "control-0229-stmt", "name": "statement", - "prose": "Media is prevented from being written to via the use of device access control software if there is no business requirement for its use." + "prose": "Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems." } ] }, { - "id": "control-0347", - "title": "Using media for data transfers", + "id": "control-0230", + "title": "Personnel awareness", "parts": [ { - "id": "control-0347-stmt", + "id": "control-0230-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured." + "prose": "Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur." } ] }, { - "id": "control-0947", - "title": "Using media for data transfers", + "id": "control-0231", + "title": "Visual indication", "parts": [ { - "id": "control-0947-stmt", + "id": "control-0231-stmt", "name": "statement", - "prose": "When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer." + "prose": "When permitting different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made." } ] - } - ] - }, - { - "id": "media_disposal", - "title": "Media disposal", - "controls": [ + }, { - "id": "control-0374", - "title": "Media disposal process and procedures", + "id": "control-0232", + "title": "Protecting conversations", "parts": [ { - "id": "control-0374-stmt", + "id": "control-0232-stmt", "name": "statement", - "prose": "A media disposal process, and supporting media disposal procedures, is developed and implemented." + "prose": "Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems." } ] }, { - "id": "control-0375", - "title": "Media disposal process and procedures", + "id": "control-0233", + "title": "Cordless telephone systems", "parts": [ { - "id": "control-0375-stmt", + "id": "control-0233-stmt", "name": "statement", - "prose": "Following sanitisation, destruction or declassification, a formal administrative decision (in consultation with data owners) is made to handle media, or its waste, as ‘publicly releasable’ before it is released into the public domain." + "prose": "Cordless telephone systems are not used for sensitive or classified conversations." } ] }, { - "id": "control-0378", - "title": "Media disposal process and procedures", + "id": "control-0235", + "title": "Speakerphones", "parts": [ { - "id": "control-0378-stmt", + "id": "control-0235-stmt", "name": "statement", - "prose": "Labels and markings indicating the classification, codewords, caveats, owner, system, network, or any other marking that can associate media with its original use, are removed prior to disposal." + "prose": "Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in a room rated as audio secure, the room is audio secure during conversations and only personnel involved in discussions are present in the room." } ] - } - ] - }, - { - "id": "media_sanitisation", - "title": "Media sanitisation", - "controls": [ + }, { - "id": "control-0348", - "title": "Media sanitisation process and procedures", + "id": "control-0236", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0348-stmt", + "id": "control-0236-stmt", "name": "statement", - "prose": "A media sanitisation process, and supporting media sanitisation procedures, is developed and implemented." + "prose": "In PROTECTED areas, off-hook audio protection features are used on all telephones that are not authorised for the transmission of PROTECTED information." } ] }, { - "id": "control-0351", - "title": "Volatile media sanitisation", + "id": "control-0931", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0351-stmt", + "id": "control-0931-stmt", "name": "statement", - "prose": "Volatile media is sanitised by removing power from the media for at least 10 minutes or by overwriting all locations on the media with a random pattern followed by a read back for verification." + "prose": "In SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of SECRET information." } ] }, { - "id": "control-0352", - "title": "Volatile media sanitisation", + "id": "control-0237", + "title": "Off-hook audio protection", "parts": [ { - "id": "control-0352-stmt", + "id": "control-0237-stmt", "name": "statement", - "prose": "Volatile media is sanitised by overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification, and then followed by removing power from the media for at least 10 minutes." + "prose": "In TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used on all telephones that are not authorised for the transmission of TOP SECRET information." } ] - }, + } + ] + }, + { + "id": "fax_machines_and_multifunction_devices", + "title": "Fax machines and multifunction devices", + "controls": [ { - "id": "control-0835", - "title": "Treatment of volatile media following sanitisation", + "id": "control-0588", + "title": "Fax machine and multifunction device usage policy", "parts": [ { - "id": "control-0835-stmt", + "id": "control-0588-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time." + "prose": "A fax machine and MFD usage policy is developed and implemented." } ] }, { - "id": "control-1065", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1092", + "title": "Sending fax messages", "parts": [ { - "id": "control-1065-stmt", + "id": "control-1092-stmt", "name": "statement", - "prose": "The host-protected area and device configuration overlay table of non-volatile magnetic media is reset prior to sanitisation." + "prose": "Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages." } ] }, { - "id": "control-0354", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-0241", + "title": "Sending fax messages", "parts": [ { - "id": "control-0354-stmt", + "id": "control-0241-stmt", "name": "statement", - "prose": "Non-volatile magnetic media is sanitised by booting from separate media to the media being sanitised and then overwriting the media at least once (or three times if pre-2001 or under 15 Gigabytes) in its entirety with a random pattern followed by a read back for verification." + "prose": "When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN." } ] }, { - "id": "control-1067", - "title": "Non-volatile magnetic media sanitisation", + "id": "control-1075", + "title": "Receiving fax messages", "parts": [ { - "id": "control-1067-stmt", + "id": "control-1075-stmt", "name": "statement", - "prose": "The ATA secure erase command is used where available, in addition to using block overwriting software, to ensure the growth defects table (g-list) is overwritten." + "prose": "The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time." } ] }, { - "id": "control-0356", - "title": "Treatment of non-volatile magnetic media following sanitisation", + "id": "control-0590", + "title": "Connecting multifunction devices to networks", "parts": [ { - "id": "control-0356-stmt", + "id": "control-0590-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile magnetic media retains its classification." + "prose": "Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network." } ] }, { - "id": "control-0357", - "title": "Non-volatile erasable programmable read-only memory media sanitisation", + "id": "control-0245", + "title": "Connecting multifunction devices to both networks and digital telephone systems", "parts": [ { - "id": "control-0357-stmt", + "id": "control-0245-stmt", "name": "statement", - "prose": "Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected." } ] }, { - "id": "control-0836", - "title": "Non-volatile electrically erasable programmable read-only memory media sanitisation", + "id": "control-0589", + "title": "Copying documents on multifunction devices", "parts": [ { - "id": "control-0836-stmt", + "id": "control-0589-stmt", "name": "statement", - "prose": "Non-volatile EEPROM media is sanitised by overwriting the media at least once in its entirety with a random pattern followed by a read back for verification." + "prose": "MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network." } ] }, { - "id": "control-0358", - "title": "Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation", + "id": "control-1036", + "title": "Observing fax machine and multifunction device use", "parts": [ { - "id": "control-0358-stmt", + "id": "control-1036-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification." + "prose": "Fax machines and MFDs are located in areas where their use can be observed." } ] - }, + } + ] + } + ] + }, + { + "id": "guidelines_for_system_management", + "title": "Guidelines for System Management", + "groups": [ + { + "id": "data_backup_and_restoration", + "title": "Data backup and restoration", + "controls": [ { - "id": "control-0359", - "title": "Non-volatile flash memory media sanitisation", + "id": "control-1510", + "title": "Digital preservation policy", "parts": [ { - "id": "control-0359-stmt", + "id": "control-1510-stmt", "name": "statement", - "prose": "Non-volatile flash memory media is sanitised by overwriting the media at least twice in its entirety with a random pattern followed by a read back for verification." + "prose": "A digital preservation policy is developed and implemented." } ] }, { - "id": "control-0360", - "title": "Treatment of non-volatile flash memory media following sanitisation", + "id": "control-1547", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-0360-stmt", + "id": "control-1547-stmt", "name": "statement", - "prose": "Following sanitisation, highly classified non-volatile flash memory media retains its classification." + "prose": "A data backup process, and supporting data backup procedures, is developed and implemented." } ] }, { - "id": "control-1464", - "title": "Encrypted media sanitisation", + "id": "control-1548", + "title": "Data backup and restoration processes and procedures", "parts": [ { - "id": "control-1464-stmt", + "id": "control-1548-stmt", "name": "statement", - "prose": "Where a consumer guide for evaluated encryption software exists, the sanitisation and post-sanitisation requirements stated in the consumer guide are followed." + "prose": "A data restoration process, and supporting data restoration procedures, is developed and implemented." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_cyber_security_roles", - "title": "Guidelines for Cyber Security Roles", - "groups": [ - { - "id": "chief_information_security_officer", - "title": "Chief Information Security Officer", - "controls": [ + }, { - "id": "control-0714", - "title": "Providing cyber security leadership and guidance", + "id": "control-1511", + "title": "Performing and retaining backups", "parts": [ { - "id": "control-0714-stmt", + "id": "control-1511-stmt", "name": "statement", - "prose": "A CISO is appointed to provide cyber security leadership and guidance for their organisation." + "prose": "Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements." } ] }, { - "id": "control-1478", - "title": "Overseeing the cyber security program", + "id": "control-1705", + "title": "Backup access and modification", "parts": [ { - "id": "control-1478-stmt", + "id": "control-1705-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation." + "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators) cannot access other account’s backups." } ] }, { - "id": "control-1617", - "title": "Overseeing the cyber security program", + "id": "control-1706", + "title": "Backup access and modification", "parts": [ { - "id": "control-1617-stmt", + "id": "control-1706-stmt", "name": "statement", - "prose": "The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities." + "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators) can’t access their own account’s backups." } ] }, { - "id": "control-0724", - "title": "Overseeing the cyber security program", + "id": "control-1707", + "title": "Backup access and modification", "parts": [ { - "id": "control-0724-stmt", + "id": "control-1707-stmt", "name": "statement", - "prose": "The CISO implements cyber security measurement metrics and key performance indicators for their organisation." + "prose": "Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups." } ] }, { - "id": "control-0725", - "title": "Coordinating cyber security", + "id": "control-1708", + "title": "Backup access and modification", "parts": [ { - "id": "control-0725-stmt", + "id": "control-1708-stmt", "name": "statement", - "prose": "The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis." + "prose": "Backup administrators (excluding backup break glass accounts), are prevented from modifying or deleting backups." } ] }, { - "id": "control-0726", - "title": "Coordinating cyber security", + "id": "control-1515", + "title": "Testing restoration of backups", "parts": [ { - "id": "control-0726-stmt", + "id": "control-1515-stmt", "name": "statement", - "prose": "The CISO coordinates security risk management activities between cyber security and business teams." + "prose": "Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises." } ] - }, + } + ] + }, + { + "id": "change_management", + "title": "Change management", + "controls": [ { - "id": "control-0718", - "title": "Reporting on cyber security", + "id": "control-1211", + "title": "Change management process and procedures", "parts": [ { - "id": "control-0718-stmt", + "id": "control-1211-stmt", "name": "statement", - "prose": "The CISO reports directly to their organisation’s senior executive and/or Board on cyber security matters." + "prose": "A change management process, and supporting change management procedures, is developed and implemented covering:\n• identification and documentation of requests for change\n• approval required for changes to be made\n• assessment of potential security impacts\n• notification of any planned disruptions or outages\n• implementation and testing of approved changes\n• the maintenance of system and security documentation." } ] - }, + } + ] + }, + { + "id": "system_administration", + "title": "System administration", + "controls": [ { - "id": "control-0733", - "title": "Overseeing incident response activities", + "id": "control-0042", + "title": "System administration process and procedures", "parts": [ { - "id": "control-0733-stmt", + "id": "control-0042-stmt", "name": "statement", - "prose": "The CISO is fully aware of all cyber security incidents within their organisation." + "prose": "A system administration process, with supporting system administration procedures, is developed and implemented." } ] }, { - "id": "control-1618", - "title": "Overseeing incident response activities", + "id": "control-1380", + "title": "Separate privileged operating environments", "parts": [ { - "id": "control-1618-stmt", + "id": "control-1380-stmt", "name": "statement", - "prose": "The CISO oversees their organisation’s response to cyber security incidents." + "prose": "Privileged users use separate privileged and unprivileged operating environments." } ] }, { - "id": "control-0734", - "title": "Contributing to business continuity and disaster recovery planning", + "id": "control-1687", + "title": "Separate privileged operating environments", "parts": [ { - "id": "control-0734-stmt", + "id": "control-1687-stmt", "name": "statement", - "prose": "The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster." + "prose": "Privileged operating environments are not virtualised within unprivileged operating environments." } ] }, { - "id": "control-0720", - "title": "Developing a cyber security communications strategy", + "id": "control-1688", + "title": "Separate privileged operating environments", "parts": [ { - "id": "control-0720-stmt", + "id": "control-1688-stmt", "name": "statement", - "prose": "The CISO develops and maintains a cyber security communications strategy for their organisation." + "prose": "Unprivileged accounts cannot logon to privileged operating environments." } ] }, { - "id": "control-0731", - "title": "Working with suppliers and service providers", + "id": "control-1689", + "title": "Separate privileged operating environments", "parts": [ { - "id": "control-0731-stmt", + "id": "control-1689-stmt", "name": "statement", - "prose": "The CISO oversees cyber supply chain risk management activities for their organisation." + "prose": "Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." } ] }, { - "id": "control-0732", - "title": "Receiving and managing a dedicated cyber security budget", + "id": "control-1381", + "title": "Separate privileged operating environments", "parts": [ { - "id": "control-0732-stmt", + "id": "control-1381-stmt", "name": "statement", - "prose": "The CISO receives and manages a dedicated cyber security budget for their organisation." + "prose": "Dedicated administrator workstations used for privileged tasks are prevented from communicating to assets not related to administrative activities." } ] }, { - "id": "control-0717", - "title": "Overseeing cyber security personnel", + "id": "control-1383", + "title": "Separate privileged operating environments", "parts": [ { - "id": "control-0717-stmt", + "id": "control-1383-stmt", "name": "statement", - "prose": "The CISO oversees the management of cyber security personnel within their organisation." + "prose": "All administrative infrastructure including, but not limited to, administrator workstations and jump servers are hardened." } ] }, { - "id": "control-0735", - "title": "Overseeing cyber security awareness raising", + "id": "control-1385", + "title": "Dedicated administration zones and communication restrictions", "parts": [ { - "id": "control-0735-stmt", + "id": "control-1385-stmt", "name": "statement", - "prose": "The CISO oversees the development and operation of their organisation’s cyber security awareness training program." + "prose": "Administrator workstations are placed into a separate network zone to user workstations." } ] - } - ] - }, - { - "id": "system_owners", - "title": "System owners", - "controls": [ + }, { - "id": "control-1071", - "title": "System ownership and oversight", + "id": "control-1386", + "title": "Restriction of management traffic flows", "parts": [ { - "id": "control-1071-stmt", + "id": "control-1386-stmt", "name": "statement", - "prose": "Each system has a designated system owner." + "prose": "Management traffic is only allowed to originate from network zones that are used to administer systems and applications." } ] }, { - "id": "control-1525", - "title": "System ownership and oversight", + "id": "control-1387", + "title": "Jump servers", "parts": [ { - "id": "control-1525-stmt", + "id": "control-1387-stmt", "name": "statement", - "prose": "System owners register each system with its authorising officer." + "prose": "Administrative activities are conducted through jump servers." } ] }, { - "id": "control-1633", - "title": "Protecting systems and their resources", + "id": "control-1388", + "title": "Jump servers", "parts": [ { - "id": "control-1633-stmt", + "id": "control-1388-stmt", "name": "statement", - "prose": "System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised." + "prose": "Jump servers are prevented from communicating to assets and sending and receiving traffic not related to administrative activities." } ] - }, + } + ] + }, + { + "id": "system_patching", + "title": "System patching", + "controls": [ { - "id": "control-1634", - "title": "Protecting systems and their resources", + "id": "control-1143", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1634-stmt", + "id": "control-1143-stmt", "name": "statement", - "prose": "System owners select security controls for each system and tailor them to achieve desired security objectives." + "prose": "A patch management process, and supporting patch management procedures, is developed and implemented." } ] }, { - "id": "control-1635", - "title": "Protecting systems and their resources", + "id": "control-1493", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1635-stmt", + "id": "control-1493-stmt", "name": "statement", - "prose": "System owners implement identified security controls within each system and its operating environment." + "prose": "Software registers are maintained and regularly audited for workstations, servers, mobile devices, network devices and all other ICT equipment." } ] }, { - "id": "control-1636", - "title": "Protecting systems and their resources", + "id": "control-1643", + "title": "Patch management process and procedures", "parts": [ { - "id": "control-1636-stmt", + "id": "control-1643-stmt", "name": "statement", - "prose": "System owners ensure security controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended." + "prose": "Software registers contain versions and patch histories of applications, drivers, operating systems and firmware." } ] }, { - "id": "control-0027", - "title": "Protecting systems and their resources", + "id": "control-1690", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-0027-stmt", + "id": "control-1690-stmt", "name": "statement", - "prose": "System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." } ] }, { - "id": "control-1526", - "title": "Protecting systems and their resources", + "id": "control-1691", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1526-stmt", + "id": "control-1691-stmt", "name": "statement", - "prose": "System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release." } ] }, { - "id": "control-1587", - "title": "Annual reporting of system security status", + "id": "control-1692", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1587-stmt", + "id": "control-1692-stmt", "name": "statement", - "prose": "System owners report the security status of each system to its authorising officer at least annually." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists." } ] - } - ] - } - ] - }, - { - "id": "guidelines_for_outsourcing", - "title": "Guidelines for Outsourcing", - "groups": [ - { - "id": "information_technology_and_cloud_services", - "title": "Information technology and cloud services", - "controls": [ + }, { - "id": "control-1631", - "title": "Cyber supply chain risk management", + "id": "control-1693", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1631-stmt", + "id": "control-1693-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are identified and understood." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month." } ] }, { - "id": "control-1452", - "title": "Cyber supply chain risk management", + "id": "control-1694", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1452-stmt", + "id": "control-1694-stmt", "name": "statement", - "prose": "Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." } ] }, { - "id": "control-1567", - "title": "Cyber supply chain risk management", + "id": "control-1695", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1567-stmt", + "id": "control-1695-stmt", "name": "statement", - "prose": "Suppliers and service providers identified as high risk are not used." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release." } ] }, { - "id": "control-1568", - "title": "Cyber supply chain risk management", + "id": "control-1696", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1568-stmt", + "id": "control-1696-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have made a commitment to secure-by-design practices." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists." } ] }, { - "id": "control-1632", - "title": "Cyber supply chain risk management", + "id": "control-1697", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1632-stmt", + "id": "control-1697-stmt", "name": "statement", - "prose": "Components and services relevant to the security of systems are chosen from suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains." + "prose": "Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists." } ] }, { - "id": "control-1569", - "title": "Cyber supply chain risk management", + "id": "control-0300", + "title": "When to patch security vulnerabilities", "parts": [ { - "id": "control-1569-stmt", + "id": "control-0300-stmt", "name": "statement", - "prose": "A shared responsibility model is created, documented and shared between suppliers, service providers and their customers in order to articulate the security responsibilities of each party." + "prose": "High assurance ICT equipment is only patched or updated when approved by the ACSC using methods and timeframes prescribed by the ACSC." } ] }, { - "id": "control-0100", - "title": "Outsourced gateway services", + "id": "control-0298", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-0100-stmt", + "id": "control-0298-stmt", "name": "statement", - "prose": "Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Infosec Registered Assessors Program (IRAP) assessors at least every 24 months." + "prose": "A centralised and managed approach is used to patch or update applications and drivers." } ] }, { - "id": "control-1637", - "title": "Outsourced cloud services", + "id": "control-0303", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1637-stmt", + "id": "control-0303-stmt", "name": "statement", - "prose": "An outsourced cloud services register is maintained and regularly audited." + "prose": "An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1638", - "title": "Outsourced cloud services", + "id": "control-1497", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1638-stmt", + "id": "control-1497-stmt", "name": "statement", - "prose": "An outsourced cloud services register contains the following for each outsourced cloud service:\n• cloud service provider’s name\n• cloud service’s name\n• purpose for using the cloud service\n• sensitivity or classification of data involved\n• due date for the next security assessment of the cloud service\n• point of contact for users of the cloud service\n• point of contact for the cloud service provider." + "prose": "An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-1570", - "title": "Outsourced cloud services", + "id": "control-1498", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1570-stmt", + "id": "control-1498-stmt", "name": "statement", - "prose": "Cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months." + "prose": "A centralised and managed approach is used to patch or update operating systems and firmware." } ] }, { - "id": "control-1529", - "title": "Outsourced cloud services", + "id": "control-1499", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1529-stmt", + "id": "control-1499-stmt", "name": "statement", - "prose": "Only community or private clouds are used for outsourced cloud services." + "prose": "An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used." } ] }, { - "id": "control-1395", - "title": "Contractual security requirements", + "id": "control-1500", + "title": "How to patch security vulnerabilities", "parts": [ { - "id": "control-1395-stmt", + "id": "control-1500-stmt", "name": "statement", - "prose": "Service providers provide an appropriate level of protection for any official, sensitive or classified data entrusted to them or their services." + "prose": "An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place." } ] }, { - "id": "control-0072", - "title": "Contractual security requirements", + "id": "control-1698", + "title": "Scanning for missing patches", "parts": [ { - "id": "control-0072-stmt", + "id": "control-1698-stmt", "name": "statement", - "prose": "Security requirements associated with the confidentiality, integrity and availability of data entrusted to a service provider are documented in contractual arrangements." + "prose": "A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services." } ] }, { - "id": "control-1571", - "title": "Contractual security requirements", + "id": "control-1699", + "title": "Scanning for missing patches", "parts": [ { - "id": "control-1571-stmt", + "id": "control-1699-stmt", "name": "statement", - "prose": "The right to audit security controls associated with the protection of data and services is specified in contractual arrangements." + "prose": "A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products." } ] }, { - "id": "control-1451", - "title": "Contractual security requirements", + "id": "control-1700", + "title": "Scanning for missing patches", "parts": [ { - "id": "control-1451-stmt", + "id": "control-1700-stmt", "name": "statement", - "prose": "Types of data and its ownership is documented in contractual arrangements." + "prose": "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications." } ] }, { - "id": "control-1572", - "title": "Contractual security requirements", + "id": "control-1701", + "title": "Scanning for missing patches", "parts": [ { - "id": "control-1572-stmt", + "id": "control-1701-stmt", "name": "statement", - "prose": "The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements." + "prose": "A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services." } ] }, { - "id": "control-1573", - "title": "Contractual security requirements", + "id": "control-1702", + "title": "Scanning for missing patches", "parts": [ { - "id": "control-1573-stmt", + "id": "control-1702-stmt", "name": "statement", - "prose": "Access to all logs relating to an organisation’s data and services are specified in contractual arrangements." + "prose": "A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices." } ] }, { - "id": "control-1574", - "title": "Contractual security requirements", + "id": "control-1703", + "title": "Scanning for missing patches", "parts": [ { - "id": "control-1574-stmt", + "id": "control-1703-stmt", "name": "statement", - "prose": "Data entrusted to a service provider is stored in a portable manner that allows organisations to perform backups, service migration or service decommissioning without any loss of data." + "prose": "A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in drivers and firmware." } ] }, { - "id": "control-1575", - "title": "Contractual security requirements", + "id": "control-1704", + "title": "Cessation of support", "parts": [ { - "id": "control-1575-stmt", + "id": "control-1704-stmt", "name": "statement", - "prose": "A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements." + "prose": "Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed." } ] }, { - "id": "control-1073", - "title": "Access to systems and data by service providers", + "id": "control-0304", + "title": "Cessation of support", "parts": [ { - "id": "control-1073-stmt", + "id": "control-0304-stmt", "name": "statement", - "prose": "An organisation’s systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so." + "prose": "Applications that are no longer supported by vendors are removed." } ] }, { - "id": "control-1576", - "title": "Access to systems and data by service providers", + "id": "control-1501", + "title": "Cessation of support", "parts": [ { - "id": "control-1576-stmt", + "id": "control-1501-stmt", "name": "statement", - "prose": "If an organisation’s systems or data are accessed or administered by a service provider in an unauthorised manner, organisations are immediately notified." + "prose": "Operating systems that are no longer supported by vendors are replaced." } ] } diff --git a/ISM_catalog_profile/profiles/ISM_April_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_April_2020_OFFICIAL/profile.json index 51d4019..c3e7dfd 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "0315f03e-acc3-47e4-ab54-ddc6be9f2535", + "uuid": "62273e83-bd96-4da8-890f-523881646f03", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:21:14.273+00:00", + "last-modified": "2022-04-28T11:45:23.595181+10:00", "version": "April_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,66 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -90,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -105,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -118,132 +71,44 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", "control-0648", "control-0610", + "control-0591", + "control-1480", + "control-0593", "control-0258", "control-0260", "control-0261", @@ -258,121 +123,162 @@ "control-0963", "control-0961", "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0405", - "control-1503", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -398,33 +304,150 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -443,17 +466,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -465,158 +477,146 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0405", + "control-1503", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_April_2020_PROTECTED/profile.json index b278dbf..4b403d5 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "40eb3e81-7236-4029-8668-987f691bc653", + "uuid": "dcd21efb-9a00-4e94-8902-550a35440a50", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:21:14.277+00:00", + "last-modified": "2022-04-28T11:45:23.599169+10:00", "version": "April_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,67 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -91,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -106,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -119,132 +71,44 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", "control-0648", "control-0610", + "control-0591", + "control-1480", + "control-0593", "control-0258", "control-0260", "control-0261", @@ -259,125 +123,162 @@ "control-0963", "control-0961", "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1462", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -403,33 +304,151 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1462", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -448,17 +467,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -470,158 +478,150 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_April_2020_SECRET/profile.json index cd08398..da0cb70 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "2a578c0a-2a32-4391-94a6-25887cbfd401", + "uuid": "a2183051-fe00-46c7-afa4-a265fda0887c", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:21:14.282+00:00", + "last-modified": "2022-04-28T11:45:23.604155+10:00", "version": "April_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -93,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -108,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", @@ -124,121 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -253,6 +122,10 @@ "control-0670", "control-1523", "control-0610", + "control-1480", + "control-1457", + "control-0593", + "control-0594", "control-0258", "control-0260", "control-0261", @@ -267,123 +140,173 @@ "control-0963", "control-0961", "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1395", + "control-1529", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -408,33 +331,131 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -453,17 +474,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -475,170 +485,160 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-1395", - "control-1529", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_April_2020_TOP_SECRET/profile.json index a00de6a..a959cc5 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "7d253841-36da-456f-8031-54a53552051c", + "uuid": "b8c25624-e401-4c74-bc21-156bd80bd265", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:21:14.286+00:00", + "last-modified": "2022-04-28T11:45:23.608144+10:00", "version": "April_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -92,6 +42,9 @@ "control-0372", "control-0373", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -107,9 +60,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-0835", @@ -124,119 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -251,6 +122,10 @@ "control-0670", "control-1523", "control-0610", + "control-1480", + "control-1457", + "control-0593", + "control-0594", "control-0258", "control-0260", "control-0261", @@ -265,214 +140,55 @@ "control-0963", "control-0961", "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", "control-1082", "control-1083", "control-0240", @@ -490,39 +206,46 @@ "control-1088", "control-1300", "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", + "control-0247", + "control-1137", + "control-0249", + "control-0246", "control-0250", "control-0181", "control-0926", @@ -556,95 +279,372 @@ "control-0198", "control-1123", "control-1135", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", "control-1395", "control-1529", "control-0873", "control-0072", "control-1073", "control-1451", - "control-1452" + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", + "control-0141", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2021_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_April_2021_OFFICIAL/profile.json index 260f956..a4ab521 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2021_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2021_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "aed3b436-a576-4c2b-81ef-071a41d07ad9", + "uuid": "7fb9a7ba-494b-42fc-82c3-145c907bdc8e", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:19.033+00:00", + "last-modified": "2022-04-28T11:43:31.277632+10:00", "version": "April_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,170 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,127 +214,168 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1104", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -589,25 +406,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -625,78 +432,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2021_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_April_2021_PROTECTED/profile.json index 72613c7..ba6925b 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2021_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2021_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "d0d0ac4f-f9fc-4450-b731-19b8331f4349", + "uuid": "4168bbe3-34f8-409c-979e-7d279af13c5a", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:19.038+00:00", + "last-modified": "2022-04-28T11:43:31.282579+10:00", "version": "April_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,170 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,128 +214,169 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1104", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -590,25 +407,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -626,78 +433,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2021_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_April_2021_SECRET/profile.json index 13c0e81..06e7f48 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2021_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2021_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "efad6a19-39c3-4cd0-a8c2-54fd02484c52", + "uuid": "b4da47bf-bd5b-4d3e-b861-ec50549a1b4e", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:19.043+00:00", + "last-modified": "2022-04-28T11:43:31.287598+10:00", "version": "April_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,288 +14,451 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -303,7 +466,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -320,15 +498,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,344 +540,175 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_April_2021_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_April_2021_TOP_SECRET/profile.json index 2699d3d..99cff2e 100644 --- a/ISM_catalog_profile/profiles/ISM_April_2021_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_April_2021_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "0d637e88-dbc6-4e1a-bf26-c933a5192781", + "uuid": "48c2daa2-ea6f-402b-8c7b-18e1a8f516b0", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:19.048+00:00", + "last-modified": "2022-04-28T11:43:31.292585+10:00", "version": "April_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,286 +14,460 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-0201", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-0218", + "control-1101", + "control-1103", + "control-1100", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0198", + "control-1123", + "control-1135", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -301,7 +475,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -318,15 +507,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -369,353 +549,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-0201", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-0218", - "control-1101", - "control-1103", - "control-1100", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0198", - "control-1123", - "control-1135", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_August_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_August_2020_OFFICIAL/profile.json index 64dc7df..462d663 100644 --- a/ISM_catalog_profile/profiles/ISM_August_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_August_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "66e3acd4-9d68-40d4-9cfb-0eff4f42413c", + "uuid": "4ea3245c-13e6-411d-b950-4b1f1cc07d17", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:56.758+00:00", + "last-modified": "2022-04-28T11:44:47.340249+10:00", "version": "August_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,250 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0569", "control-0571", "control-0570", @@ -275,222 +44,27 @@ "control-1234", "control-1502", "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", "control-1533", "control-1195", "control-1400", @@ -509,25 +83,34 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", "control-0826", "control-1215", "control-1216", @@ -554,6 +137,220 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -583,25 +380,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -618,6 +405,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -635,9 +425,6 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -647,29 +434,242 @@ "control-0836", "control-0359", "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_August_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_August_2020_PROTECTED/profile.json index 0294658..a74c887 100644 --- a/ISM_catalog_profile/profiles/ISM_August_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_August_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "c7f09a0a-5c7f-4f8d-ae7c-de4ec9c7ff02", + "uuid": "3208f09f-5c7d-4700-a642-dcc99cb25b89", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:56.762+00:00", + "last-modified": "2022-04-28T11:44:47.346256+10:00", "version": "August_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,393 +14,174 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1539", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -432,41 +213,56 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", "control-1460", "control-1604", "control-1605", "control-1606", "control-1607", "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", "control-0123", "control-0141", "control-1433", @@ -481,84 +277,82 @@ "control-0138", "control-0576", "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -588,25 +382,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -623,6 +407,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -631,50 +418,263 @@ "control-0330", "control-0332", "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0345", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0345", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_August_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_August_2020_SECRET/profile.json index b2bc929..745f436 100644 --- a/ISM_catalog_profile/profiles/ISM_August_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_August_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "0444a221-f0fb-4efb-9b70-79373fee9fc7", + "uuid": "c9931396-4385-4fa3-b5af-dcb9f706b767", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:56.766+00:00", + "last-modified": "2022-04-28T11:44:47.350246+10:00", "version": "August_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,395 +14,176 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -433,41 +214,56 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", "control-1460", "control-1604", "control-1605", "control-1606", "control-1607", "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", "control-0123", "control-0141", "control-1433", @@ -482,82 +278,74 @@ "control-0138", "control-0576", "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", "control-0313", "control-1550", "control-0311", @@ -589,33 +377,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -632,6 +402,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -649,9 +422,6 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", @@ -660,33 +430,263 @@ "control-0356", "control-0357", "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0358", + "control-0359", + "control-0360", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-0078", + "control-0854", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_August_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_August_2020_TOP_SECRET/profile.json index 6dfa61e..ea01910 100644 --- a/ISM_catalog_profile/profiles/ISM_August_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_August_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "1dca663d-84d0-4302-b74f-ce9e6f93f16b", + "uuid": "c7abb7fb-1b8f-4bf9-992f-1c34869e08f0", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:56.770+00:00", + "last-modified": "2022-04-28T11:44:47.355231+10:00", "version": "August_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,285 +14,434 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0345", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -300,7 +449,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -317,15 +481,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,328 +526,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0345", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2019_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_December_2019_OFFICIAL/profile.json index b5f5373..e82c1f0 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2019_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2019_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "50c97f9c-4883-4e92-a81a-eabddb67c2e2", + "uuid": "38744e5c-e157-42cc-89a5-6960956556e3", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:21:31.236+00:00", + "last-modified": "2022-03-23T20:28:13.232099+11:00", "version": "December_2019", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,42 +14,44 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", + "control-0123", + "control-0141", + "control-0140", + "control-0576", + "control-0120", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", "control-0264", "control-0267", "control-0270", @@ -74,6 +76,143 @@ "control-1234", "control-1502", "control-1024", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0100", + "control-1395", + "control-1396", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-0947", + "control-1464", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0345", + "control-0831", + "control-1059", + "control-0347", "control-0363", "control-0350", "control-1361", @@ -90,60 +229,113 @@ "control-0373", "control-0840", "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0345", - "control-0831", - "control-1059", - "control-0347", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-0947", - "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-0336", + "control-0159", + "control-0161", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0405", + "control-1503", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0258", + "control-0260", + "control-0261", + "control-0263", + "control-0996", + "control-0958", + "control-0995", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0963", + "control-0961", + "control-1237", + "control-0591", + "control-1480", + "control-0593", + "control-0610", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1528", + "control-0639", + "control-1194", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", "control-0477", "control-1054", "control-0479", "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", "control-1506", "control-0484", "control-0485", @@ -151,13 +343,10 @@ "control-0487", "control-0488", "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", + "control-0501", + "control-0142", + "control-1091", + "control-0505", "control-0494", "control-0496", "control-1233", @@ -167,113 +356,50 @@ "control-0999", "control-1000", "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0610", - "control-0258", - "control-0260", - "control-0261", - "control-0263", - "control-0996", - "control-0958", - "control-0995", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0963", - "control-0961", - "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", + "control-0490", + "control-0481", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-1314", "control-0536", "control-1315", @@ -323,150 +449,33 @@ "control-1028", "control-1030", "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0405", - "control-1503", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1163", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-1082", "control-1083", "control-0240", @@ -500,126 +509,117 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-0100", - "control-1395", - "control-1396", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2019_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_December_2019_PROTECTED/profile.json index a04dcf6..216a510 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2019_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2019_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "20e6d02a-9eb3-4621-878a-d0ad19bbdd64", + "uuid": "f9c49c7a-0f73-4412-bb0b-756322e26f6a", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:21:31.240+00:00", + "last-modified": "2022-03-23T20:28:13.244078+11:00", "version": "December_2019", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,42 +14,44 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", + "control-0123", + "control-0141", + "control-0140", + "control-0576", + "control-0120", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", "control-0264", "control-0267", "control-0270", @@ -75,6 +77,143 @@ "control-1234", "control-1502", "control-1024", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0100", + "control-1395", + "control-1396", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-0947", + "control-1464", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0345", + "control-0831", + "control-1059", + "control-0347", "control-0363", "control-0350", "control-1361", @@ -91,60 +230,116 @@ "control-0373", "control-0840", "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0345", - "control-0831", - "control-1059", - "control-0347", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-0947", - "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-0336", + "control-0159", + "control-0161", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0258", + "control-0260", + "control-0261", + "control-0263", + "control-0996", + "control-0958", + "control-0995", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0963", + "control-0961", + "control-1237", + "control-0591", + "control-1480", + "control-0593", + "control-0610", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1528", + "control-0639", + "control-1194", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", "control-0477", "control-1054", "control-0479", "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", "control-1506", "control-0484", "control-0485", @@ -152,13 +347,10 @@ "control-0487", "control-0488", "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", + "control-0501", + "control-0142", + "control-1091", + "control-0505", "control-0494", "control-0496", "control-1233", @@ -168,113 +360,50 @@ "control-0999", "control-1000", "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0610", - "control-0258", - "control-0260", - "control-0261", - "control-0263", - "control-0996", - "control-0958", - "control-0995", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0963", - "control-0961", - "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", + "control-0490", + "control-0481", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-1314", "control-0536", "control-1315", @@ -325,153 +454,33 @@ "control-1028", "control-1030", "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1163", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-1082", "control-1083", "control-0240", @@ -505,126 +514,117 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-0100", - "control-1395", - "control-1396", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2019_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_December_2019_SECRET/profile.json index 3f493ba..acc18d8 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2019_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2019_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "4961c1a5-2dbc-4d9e-b474-b7b8ad2837f6", + "uuid": "297d25e0-3587-4165-8f04-6afcc13a7de6", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:21:31.244+00:00", + "last-modified": "2022-03-23T20:28:13.249086+11:00", "version": "December_2019", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,43 +14,53 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", + "control-0123", + "control-0141", + "control-0140", + "control-0576", + "control-0120", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", "control-0264", "control-0267", "control-0270", @@ -77,6 +87,148 @@ "control-1234", "control-1502", "control-1024", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-1529", + "control-1396", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-0947", + "control-1464", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0345", + "control-0831", + "control-1059", + "control-0347", "control-0363", "control-0350", "control-1361", @@ -93,37 +245,113 @@ "control-0373", "control-0840", "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0345", - "control-0831", - "control-1059", - "control-0347", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-0947", - "control-1464", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-0336", + "control-0159", + "control-0161", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0258", + "control-0260", + "control-0261", + "control-0263", + "control-0996", + "control-0958", + "control-0995", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0963", + "control-0961", + "control-1237", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", "control-1139", "control-1369", "control-1370", @@ -134,11 +362,15 @@ "control-1375", "control-1553", "control-1453", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", "control-1232", "control-1468", - "control-0499", - "control-0505", - "control-0506", "control-1506", "control-0484", "control-0485", @@ -146,15 +378,9 @@ "control-0487", "control-0488", "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", + "control-0499", + "control-0505", + "control-0506", "control-0494", "control-0496", "control-1233", @@ -164,114 +390,51 @@ "control-0999", "control-1000", "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0258", - "control-0260", - "control-0261", - "control-0263", - "control-0996", - "control-0958", - "control-0995", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0963", - "control-0961", - "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0490", + "control-0481", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-1314", "control-0536", "control-1315", @@ -323,160 +486,21 @@ "control-1028", "control-1030", "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", "control-1163", - "control-0911", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-1082", "control-1083", "control-0240", @@ -507,140 +531,116 @@ "control-1365", "control-1366", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1529", - "control-1396", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2019_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_December_2019_TOP_SECRET/profile.json index 24822fa..6de3a33 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2019_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2019_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "8e5c8880-1dd2-4d9d-b0a9-ba3be2376d24", + "uuid": "db0871eb-3727-45ed-a96a-4364cca50ba8", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:21:31.248+00:00", + "last-modified": "2022-03-23T20:28:13.255069+11:00", "version": "December_2019", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,43 +14,53 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", + "control-0123", + "control-0141", + "control-0140", + "control-0576", + "control-0120", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", "control-0264", "control-0267", "control-0270", @@ -77,21 +87,140 @@ "control-1234", "control-1502", "control-1024", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-1529", + "control-1396", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-0947", + "control-1464", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -107,38 +236,148 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-0947", - "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-0336", + "control-0159", + "control-0161", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0258", + "control-0260", + "control-0261", + "control-0263", + "control-0996", + "control-0958", + "control-0995", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0963", + "control-0961", + "control-1237", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", "control-1375", "control-1553", "control-1453", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", "control-1232", "control-1468", - "control-0499", - "control-0505", - "control-0506", "control-1506", "control-0484", "control-0485", @@ -146,15 +385,9 @@ "control-0487", "control-0488", "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", + "control-0499", + "control-0505", + "control-0506", "control-0494", "control-0496", "control-1233", @@ -164,112 +397,51 @@ "control-0999", "control-1000", "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0258", - "control-0260", - "control-0261", - "control-0263", - "control-0996", - "control-0958", - "control-0995", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0963", - "control-0961", - "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0490", + "control-0481", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-1314", "control-0536", "control-1315", @@ -321,160 +493,21 @@ "control-1028", "control-1030", "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", + "control-1163", + "control-0911", "control-0580", "control-1405", "control-0988", "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-1082", "control-1083", "control-0240", @@ -506,147 +539,114 @@ "control-1365", "control-1366", "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1529", - "control-1396", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_December_2020_OFFICIAL/profile.json index c01b60e..be8de8b 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "6fe68ed7-9062-4ae6-be5f-6c674fdd45ab", + "uuid": "5af9c8a2-973a-4276-865e-7aa8185edb21", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:37.882+00:00", + "last-modified": "2022-04-28T11:44:10.925236+10:00", "version": "December_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,525 +14,96 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", "control-0248", "control-0932", "control-0246", @@ -566,6 +137,246 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -596,25 +407,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -631,72 +432,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_December_2020_PROTECTED/profile.json index f25f93a..9215e27 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "cb214447-4ac6-4f47-9522-9aea25db5535", + "uuid": "d6bdc837-0b03-4f38-9df5-4833afa3bf46", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:37.886+00:00", + "last-modified": "2022-04-28T11:44:10.931220+10:00", "version": "December_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,526 +14,96 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", "control-0248", "control-0932", "control-0246", @@ -567,6 +137,247 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -597,25 +408,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -632,72 +433,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_December_2020_SECRET/profile.json index 9772653..73e5ae7 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "1bcb16fc-90aa-4281-b0b6-e90bb29c83a0", + "uuid": "5622c04b-9b4c-40d3-a59d-32bfe8fc922e", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:37.890+00:00", + "last-modified": "2022-04-28T11:44:10.936207+10:00", "version": "December_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,288 +14,451 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -303,7 +466,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -320,15 +498,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,344 +540,175 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_December_2020_TOP_SECRET/profile.json index 6d751a7..e065dc1 100644 --- a/ISM_catalog_profile/profiles/ISM_December_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_December_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "87548b85-21f2-4ece-bb6f-e6c7fa05d512", + "uuid": "959c01a5-96f6-4e2d-a5e6-1d9a66eaf68f", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:37.895+00:00", + "last-modified": "2022-04-28T11:44:10.941193+10:00", "version": "December_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,286 +14,459 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -301,7 +474,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -318,15 +506,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -369,352 +548,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_December_2021_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_December_2021_OFFICIAL/profile.json new file mode 100644 index 0000000..63ae40d --- /dev/null +++ b/ISM_catalog_profile/profiles/ISM_December_2021_OFFICIAL/profile.json @@ -0,0 +1,741 @@ +{ + "profile": { + "uuid": "1f00d833-253a-4032-aa38-5beb17a2e4d0", + "metadata": { + "title": "Australian Government Information Security Manual profile for OFFICIAL", + "last-modified": "2022-03-07T13:44:16.927327+11:00", + "version": "December_2021", + "oscal-version": "1.0.0", + "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" + }, + "imports": [ + { + "href": "trestle://ISM_December_2021/catalog.json", + "include-controls": [ + { + "with-ids": [ + "control-1551", + "control-0336", + "control-0294", + "control-0293", + "control-1599", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-1598", + "control-0313", + "control-1550", + "control-1217", + "control-0311", + "control-0316", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-0374", + "control-0378", + "control-0375", + "control-1549", + "control-1359", + "control-1713", + "control-0332", + "control-0323", + "control-0337", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-1600", + "control-1642", + "control-0347", + "control-0947", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-1722", + "control-1723", + "control-1724", + "control-1725", + "control-1726", + "control-1727", + "control-0368", + "control-0361", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0348", + "control-0351", + "control-0354", + "control-1065", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1735", + "control-1533", + "control-1195", + "control-1297", + "control-1400", + "control-1482", + "control-0869", + "control-1085", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0501", + "control-0142", + "control-1091", + "control-0481", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0490", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-1730", + "control-0401", + "control-0402", + "control-1616", + "control-1717", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1119", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0258", + "control-0260", + "control-0261", + "control-0591", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0643", + "control-1157", + "control-0648", + "control-1528", + "control-0639", + "control-1194", + "control-0289", + "control-0280", + "control-0285", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-1296", + "control-0164", + "control-0161", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0405", + "control-1566", + "control-1714", + "control-1507", + "control-1733", + "control-1508", + "control-1175", + "control-1653", + "control-1649", + "control-0445", + "control-1509", + "control-1650", + "control-1651", + "control-1652", + "control-0430", + "control-1591", + "control-1404", + "control-1648", + "control-1716", + "control-1647", + "control-1734", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1715", + "control-1614", + "control-1615", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-0123", + "control-0141", + "control-1433", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1731", + "control-1732", + "control-1213", + "control-0138", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1562", + "control-0546", + "control-0548", + "control-0547", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-0341", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-0343", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1559", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979" + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/ISM_catalog_profile/profiles/ISM_December_2021_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_December_2021_PROTECTED/profile.json new file mode 100644 index 0000000..a0ec2ac --- /dev/null +++ b/ISM_catalog_profile/profiles/ISM_December_2021_PROTECTED/profile.json @@ -0,0 +1,741 @@ +{ + "profile": { + "uuid": "45fe6b2d-2e90-4088-a87a-a125ab5da3ea", + "metadata": { + "title": "Australian Government Information Security Manual profile for PROTECTED", + "last-modified": "2022-03-07T13:44:16.932312+11:00", + "version": "December_2021", + "oscal-version": "1.0.0", + "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" + }, + "imports": [ + { + "href": "trestle://ISM_December_2021/catalog.json", + "include-controls": [ + { + "with-ids": [ + "control-1551", + "control-0336", + "control-0294", + "control-0293", + "control-1599", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-1598", + "control-0313", + "control-1550", + "control-1217", + "control-0311", + "control-0316", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-0374", + "control-0378", + "control-0375", + "control-1549", + "control-1359", + "control-1713", + "control-0332", + "control-0323", + "control-0337", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-1600", + "control-1642", + "control-0347", + "control-0947", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-1722", + "control-1723", + "control-1724", + "control-1725", + "control-1726", + "control-1727", + "control-0368", + "control-0361", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0348", + "control-0351", + "control-0354", + "control-1065", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1735", + "control-1533", + "control-1195", + "control-1297", + "control-1400", + "control-1482", + "control-0869", + "control-1085", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0501", + "control-0142", + "control-1091", + "control-0481", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0490", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-1730", + "control-0401", + "control-0402", + "control-1616", + "control-1717", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1119", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0258", + "control-0260", + "control-0261", + "control-0591", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0643", + "control-1157", + "control-0648", + "control-1528", + "control-0639", + "control-1194", + "control-0289", + "control-0280", + "control-0285", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-1296", + "control-0164", + "control-0161", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0405", + "control-1566", + "control-1714", + "control-1507", + "control-1733", + "control-1508", + "control-1175", + "control-1653", + "control-1649", + "control-0445", + "control-1509", + "control-1650", + "control-1651", + "control-1652", + "control-0430", + "control-1591", + "control-1404", + "control-1648", + "control-1716", + "control-1647", + "control-1734", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1715", + "control-1614", + "control-1615", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-0123", + "control-0141", + "control-1433", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1731", + "control-1732", + "control-1213", + "control-0138", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1562", + "control-0546", + "control-0548", + "control-0547", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-0341", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-0343", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1559", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979" + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/ISM_catalog_profile/profiles/ISM_December_2021_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_December_2021_SECRET/profile.json new file mode 100644 index 0000000..1629ee1 --- /dev/null +++ b/ISM_catalog_profile/profiles/ISM_December_2021_SECRET/profile.json @@ -0,0 +1,799 @@ +{ + "profile": { + "uuid": "5f96acba-8438-4c50-a27a-1a29808be24b", + "metadata": { + "title": "Australian Government Information Security Manual profile for SECRET", + "last-modified": "2022-03-07T13:44:16.939260+11:00", + "version": "December_2021", + "oscal-version": "1.0.0", + "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" + }, + "imports": [ + { + "href": "trestle://ISM_December_2021/catalog.json", + "include-controls": [ + { + "with-ids": [ + "control-1551", + "control-0336", + "control-0294", + "control-0296", + "control-0293", + "control-1599", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-1598", + "control-0313", + "control-1550", + "control-1217", + "control-0311", + "control-0315", + "control-0321", + "control-0316", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-0374", + "control-0378", + "control-0375", + "control-1549", + "control-1359", + "control-1713", + "control-0332", + "control-0323", + "control-0337", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-1600", + "control-1642", + "control-0347", + "control-0947", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-1722", + "control-1723", + "control-1724", + "control-1725", + "control-1726", + "control-1727", + "control-0368", + "control-1728", + "control-0361", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0348", + "control-0351", + "control-0352", + "control-0354", + "control-1065", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1735", + "control-1533", + "control-1195", + "control-0687", + "control-1297", + "control-0694", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501", + "control-0663", + "control-0661", + "control-0664", + "control-0675", + "control-0665", + "control-0657", + "control-0658", + "control-1187", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-1294", + "control-0660", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0501", + "control-0142", + "control-1091", + "control-0499", + "control-0506", + "control-0481", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0490", + "control-0471", + "control-0994", + "control-1629", + "control-1630", + "control-1446", + "control-0477", + "control-0479", + "control-1232", + "control-0460", + "control-0459", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-1730", + "control-0401", + "control-0402", + "control-1616", + "control-1717", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-1718", + "control-1216", + "control-1112", + "control-1119", + "control-0187", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1720", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0258", + "control-0260", + "control-0261", + "control-0591", + "control-1457", + "control-1480", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0643", + "control-0645", + "control-1157", + "control-1158", + "control-0648", + "control-1528", + "control-0639", + "control-1194", + "control-0289", + "control-0290", + "control-0292", + "control-0280", + "control-0285", + "control-0286", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-1296", + "control-1543", + "control-0225", + "control-0829", + "control-0164", + "control-0161", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0420", + "control-0405", + "control-1566", + "control-1714", + "control-0409", + "control-0411", + "control-1507", + "control-1733", + "control-1508", + "control-1175", + "control-1653", + "control-1649", + "control-0445", + "control-1509", + "control-1650", + "control-1651", + "control-1652", + "control-0446", + "control-0447", + "control-0430", + "control-1591", + "control-1404", + "control-1648", + "control-1716", + "control-1647", + "control-1734", + "control-0407", + "control-0441", + "control-0443", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1715", + "control-1614", + "control-1615", + "control-0078", + "control-0854", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-0123", + "control-0141", + "control-1433", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1731", + "control-1732", + "control-1213", + "control-0138", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1562", + "control-0546", + "control-0548", + "control-0547", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-0341", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-0343", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1559", + "control-1560", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0421", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979" + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/ISM_catalog_profile/profiles/ISM_December_2021_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_December_2021_TOP_SECRET/profile.json new file mode 100644 index 0000000..aa3be75 --- /dev/null +++ b/ISM_catalog_profile/profiles/ISM_December_2021_TOP_SECRET/profile.json @@ -0,0 +1,807 @@ +{ + "profile": { + "uuid": "bbd45896-dece-415c-95b2-9abc13479260", + "metadata": { + "title": "Australian Government Information Security Manual profile for TOP_SECRET", + "last-modified": "2022-03-07T13:44:16.945242+11:00", + "version": "December_2021", + "oscal-version": "1.0.0", + "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" + }, + "imports": [ + { + "href": "trestle://ISM_December_2021/catalog.json", + "include-controls": [ + { + "with-ids": [ + "control-1551", + "control-0336", + "control-0294", + "control-0296", + "control-0293", + "control-1599", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-1598", + "control-0313", + "control-1550", + "control-1217", + "control-0311", + "control-0315", + "control-0321", + "control-0316", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-0374", + "control-0378", + "control-0375", + "control-1549", + "control-1359", + "control-1713", + "control-0332", + "control-0323", + "control-0337", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-1600", + "control-1642", + "control-0347", + "control-0947", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-1722", + "control-1723", + "control-1724", + "control-1725", + "control-1726", + "control-1727", + "control-0368", + "control-1729", + "control-0361", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0348", + "control-0351", + "control-0352", + "control-0835", + "control-0354", + "control-1065", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1735", + "control-1533", + "control-1195", + "control-0687", + "control-1297", + "control-0694", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1211", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501", + "control-0663", + "control-0661", + "control-0664", + "control-0675", + "control-0665", + "control-0657", + "control-0658", + "control-1187", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-1294", + "control-0660", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0501", + "control-0142", + "control-1091", + "control-0499", + "control-0506", + "control-0481", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0490", + "control-0471", + "control-0994", + "control-1629", + "control-1630", + "control-1446", + "control-0477", + "control-0479", + "control-1232", + "control-0460", + "control-0459", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-1730", + "control-0401", + "control-0402", + "control-1616", + "control-1717", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-1719", + "control-1216", + "control-1112", + "control-1119", + "control-0187", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-0201", + "control-1115", + "control-1133", + "control-1122", + "control-1104", + "control-1105", + "control-1095", + "control-1721", + "control-1109", + "control-0218", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1100", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0198", + "control-1123", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0258", + "control-0260", + "control-0261", + "control-0591", + "control-1457", + "control-1480", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0643", + "control-0645", + "control-1157", + "control-1158", + "control-0648", + "control-1528", + "control-0639", + "control-1194", + "control-0289", + "control-0290", + "control-0292", + "control-0280", + "control-0285", + "control-0286", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-1296", + "control-1543", + "control-0225", + "control-0829", + "control-0164", + "control-0161", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0420", + "control-0405", + "control-1566", + "control-1714", + "control-0409", + "control-0411", + "control-1507", + "control-1733", + "control-1508", + "control-1175", + "control-1653", + "control-1649", + "control-0445", + "control-1509", + "control-1650", + "control-1651", + "control-1652", + "control-0446", + "control-0447", + "control-0430", + "control-1591", + "control-1404", + "control-1648", + "control-1716", + "control-1647", + "control-1734", + "control-0407", + "control-0441", + "control-0443", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1715", + "control-1614", + "control-1615", + "control-0078", + "control-0854", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-0123", + "control-0141", + "control-1433", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1731", + "control-1732", + "control-1213", + "control-0138", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1562", + "control-0546", + "control-0548", + "control-0547", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-0558", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-0341", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-0343", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1559", + "control-1561", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0421", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979" + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/ISM_catalog_profile/profiles/ISM_February_2021_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_February_2021_OFFICIAL/profile.json index 8f08e2e..a475639 100644 --- a/ISM_catalog_profile/profiles/ISM_February_2021_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_February_2021_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "54924f05-fa55-48d7-b3fe-7be88b50aa7f", + "uuid": "773de4a2-251c-4eae-bacc-495b92ccce22", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:28.749+00:00", + "last-modified": "2022-04-28T11:43:53.315383+10:00", "version": "February_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,177 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,134 +221,168 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -596,25 +413,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -631,78 +438,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_February_2021_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_February_2021_PROTECTED/profile.json index b0d61c0..3e7337e 100644 --- a/ISM_catalog_profile/profiles/ISM_February_2021_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_February_2021_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "03dd0977-fe62-43a0-a412-9ec6cde0603f", + "uuid": "a23ff3cf-7d7d-4cce-9bb9-be07919c193c", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:28.754+00:00", + "last-modified": "2022-04-28T11:43:53.321365+10:00", "version": "February_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,177 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,135 +221,169 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -597,25 +414,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -632,78 +439,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_February_2021_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_February_2021_SECRET/profile.json index 20cdd99..3ff16aa 100644 --- a/ISM_catalog_profile/profiles/ISM_February_2021_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_February_2021_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "67b3f13f-380c-4e91-8077-5ea221b4f146", + "uuid": "aa88a03c-19fc-47f7-b1ba-299cf583078b", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:28.759+00:00", + "last-modified": "2022-04-28T11:43:53.327317+10:00", "version": "February_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,288 +14,457 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -303,7 +472,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -320,15 +504,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,350 +546,175 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_February_2021_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_February_2021_TOP_SECRET/profile.json index c4b8cc2..1d42d17 100644 --- a/ISM_catalog_profile/profiles/ISM_February_2021_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_February_2021_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "8fce3bc0-5bda-462d-8844-8bb4222bf42a", + "uuid": "b6cb14f8-cf31-4059-a74f-40149eb4f05f", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:28.764+00:00", + "last-modified": "2022-04-28T11:43:53.332302+10:00", "version": "February_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,286 +14,465 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -301,7 +480,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -318,15 +512,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -369,358 +554,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_January_2021_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_January_2021_OFFICIAL/profile.json index 59886bb..ccbacd5 100644 --- a/ISM_catalog_profile/profiles/ISM_January_2021_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_January_2021_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "0223b1d0-d97d-4c99-8280-cec7d6032ed4", + "uuid": "ffdb70e7-361b-45de-9b59-9eb8654ea217", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:33.342+00:00", + "last-modified": "2022-04-28T11:44:02.119873+10:00", "version": "January_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,177 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,134 +221,168 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -596,25 +413,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -631,78 +438,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_January_2021_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_January_2021_PROTECTED/profile.json index 5061ce9..01aba27 100644 --- a/ISM_catalog_profile/profiles/ISM_January_2021_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_January_2021_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "391573a8-d5d7-4dea-bf48-3bed726e9c28", + "uuid": "d61d4400-c0c1-4dd4-b9e8-6a605037a0bb", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:33.346+00:00", + "last-modified": "2022-04-28T11:44:02.125856+10:00", "version": "January_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,177 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,135 +221,169 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -597,25 +414,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -632,78 +439,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_January_2021_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_January_2021_SECRET/profile.json index 2e8a277..177dce3 100644 --- a/ISM_catalog_profile/profiles/ISM_January_2021_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_January_2021_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "52a06c93-5580-4998-91db-510e7ff5fc64", + "uuid": "eeb02bbd-f8e8-4815-b615-6d124de0e53a", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:33.350+00:00", + "last-modified": "2022-04-28T11:44:02.132838+10:00", "version": "January_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,288 +14,457 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -303,7 +472,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -320,15 +504,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,350 +546,175 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_January_2021_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_January_2021_TOP_SECRET/profile.json index 39378c1..607a487 100644 --- a/ISM_catalog_profile/profiles/ISM_January_2021_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_January_2021_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "08b733c0-1d07-4116-ac08-06491df0dd9b", + "uuid": "e9f15cc6-b0b1-44c1-a6c2-c31072f48d54", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:33.355+00:00", + "last-modified": "2022-04-28T11:44:02.137826+10:00", "version": "January_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,286 +14,465 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0211", + "control-0208", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -301,7 +480,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -318,15 +512,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -369,358 +554,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0211", - "control-0208", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_July_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_July_2020_OFFICIAL/profile.json index eeef43d..0a57bea 100644 --- a/ISM_catalog_profile/profiles/ISM_July_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_July_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "e3311965-95c3-41b6-bdbd-f619db3ad570", + "uuid": "f7fbd94f-ac5c-454a-9c89-0bd6df9dd8dd", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:21:01.243+00:00", + "last-modified": "2022-04-28T11:44:56.056358+10:00", "version": "July_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,66 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -90,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -105,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -118,127 +71,36 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", @@ -258,6 +120,9 @@ "control-1292", "control-1293", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -269,131 +134,153 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-0591", "control-1480", "control-0593", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1569", + "control-0100", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -419,33 +306,153 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-1433", @@ -466,17 +473,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -488,152 +484,156 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0657", "control-1187", "control-1294", "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1452", - "control-1567", - "control-1568", - "control-1569", - "control-0100", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_July_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_July_2020_PROTECTED/profile.json index efc54d9..1d39015 100644 --- a/ISM_catalog_profile/profiles/ISM_July_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_July_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "816d4f18-d2f0-4ef8-8918-802ddc043bbe", + "uuid": "a3ab2b1b-5dcd-4bf3-94a0-0ae08dbfbb04", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:21:01.247+00:00", + "last-modified": "2022-04-28T11:44:56.060347+10:00", "version": "July_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,67 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -91,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -106,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -119,127 +71,36 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", @@ -259,6 +120,9 @@ "control-1292", "control-1293", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -270,135 +134,153 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-0591", "control-1480", "control-0593", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1462", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1569", + "control-0100", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -424,33 +306,154 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1462", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-1433", @@ -471,17 +474,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -493,152 +485,160 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0657", "control-1187", "control-1294", "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1452", - "control-1567", - "control-1568", - "control-1569", - "control-0100", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_July_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_July_2020_SECRET/profile.json index 34d31d7..8ba508c 100644 --- a/ISM_catalog_profile/profiles/ISM_July_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_July_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "6997236b-d9b6-4486-86ae-3a9fb7ce7974", + "uuid": "83a8be4f-cb57-482b-8f4f-60cdf3fa0304", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:21:01.250+00:00", + "last-modified": "2022-04-28T11:44:56.065334+10:00", "version": "July_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -93,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -108,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", @@ -124,120 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -268,6 +138,9 @@ "control-0670", "control-1523", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -279,131 +152,156 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-1480", "control-1457", "control-0593", "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1569", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -428,33 +326,131 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-1433", @@ -475,17 +471,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -497,98 +482,23 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0665", @@ -600,57 +510,147 @@ "control-0678", "control-0660", "control-0673", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1452", - "control-1567", - "control-1568", - "control-1569", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_July_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_July_2020_TOP_SECRET/profile.json index ed27458..0ee262a 100644 --- a/ISM_catalog_profile/profiles/ISM_July_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_July_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "e490c32f-f415-4ee1-8568-4eba2b352ffc", + "uuid": "525dcf56-3bbc-40c2-a5de-916f76b1d44c", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:21:01.254+00:00", + "last-modified": "2022-04-28T11:44:56.071318+10:00", "version": "July_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -92,6 +42,9 @@ "control-0372", "control-0373", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -107,9 +60,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-0835", @@ -124,118 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -266,6 +138,9 @@ "control-0670", "control-1523", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -277,131 +152,164 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-1480", "control-1457", "control-0593", "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1452", + "control-1567", + "control-1568", + "control-1569", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -426,33 +334,131 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-1433", @@ -473,17 +479,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -495,106 +490,23 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0665", @@ -606,57 +518,145 @@ "control-0678", "control-0660", "control-0673", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1452", - "control-1567", - "control-1568", - "control-1569", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_June_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_June_2020_OFFICIAL/profile.json index de4420b..9b712d5 100644 --- a/ISM_catalog_profile/profiles/ISM_June_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_June_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "d93e5731-a479-4f29-8f17-e32a7785f710", + "uuid": "8ed9386d-2fc1-4ac1-841a-e2f7a8d75cc2", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:21:05.619+00:00", + "last-modified": "2022-04-28T11:45:04.013879+10:00", "version": "June_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,66 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -90,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -105,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -118,127 +71,36 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", @@ -258,6 +120,9 @@ "control-1292", "control-1293", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -269,128 +134,144 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-0591", "control-1480", "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -416,39 +297,156 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", + "control-0141", + "control-0140", + "control-0125", + "control-0133", + "control-0917", "control-0137", "control-1213", "control-0138", @@ -461,17 +459,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -483,143 +470,156 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0657", "control-1187", "control-1294", "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_June_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_June_2020_PROTECTED/profile.json index afcc0c5..ea1aa06 100644 --- a/ISM_catalog_profile/profiles/ISM_June_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_June_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "32b8783a-8f6b-4bbc-9806-c1afd3f6c76a", + "uuid": "217d5bce-db4a-47fa-84ca-307a808c9ef8", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:21:05.623+00:00", + "last-modified": "2022-04-28T11:45:04.018866+10:00", "version": "June_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,67 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -91,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -106,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -119,127 +71,36 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", @@ -259,6 +120,9 @@ "control-1292", "control-1293", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -270,132 +134,144 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-0591", "control-1480", "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1462", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -421,34 +297,152 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1462", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", "control-0141", "control-0140", "control-0125", @@ -466,17 +460,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -488,143 +471,160 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0657", "control-1187", "control-1294", "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_June_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_June_2020_SECRET/profile.json index e6fbb93..5f6c0d0 100644 --- a/ISM_catalog_profile/profiles/ISM_June_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_June_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "2d330951-463d-4086-b4df-359e139034d5", + "uuid": "dd5dade8-c56b-4530-b918-3f7127ca2eb5", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:21:05.627+00:00", + "last-modified": "2022-04-28T11:45:04.022859+10:00", "version": "June_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -93,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -108,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", @@ -124,120 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -268,6 +138,9 @@ "control-0670", "control-1523", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -279,221 +152,57 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-1480", "control-1457", "control-0593", "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", "control-1082", "control-1083", "control-0240", @@ -511,31 +220,12 @@ "control-1088", "control-1300", "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", "control-0247", "control-0248", "control-0249", @@ -570,22 +260,233 @@ "control-1106", "control-1107", "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1395", + "control-1529", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", + "control-0141", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0665", @@ -597,48 +498,147 @@ "control-0678", "control-0660", "control-0673", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1395", - "control-1529", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_June_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_June_2020_TOP_SECRET/profile.json index 1feece0..9dfb54b 100644 --- a/ISM_catalog_profile/profiles/ISM_June_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_June_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "b3e02e8b-3372-445e-a7b6-0308740229c8", + "uuid": "eb6b45fa-7f04-4826-a71e-f60a63738f7c", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:21:05.631+00:00", + "last-modified": "2022-04-28T11:45:04.027842+10:00", "version": "June_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -92,6 +42,9 @@ "control-0372", "control-0373", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -107,9 +60,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-0835", @@ -124,118 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -266,6 +138,9 @@ "control-0670", "control-1523", "control-0610", + "control-0258", + "control-0260", + "control-0261", "control-0963", "control-0961", "control-1237", @@ -277,130 +152,155 @@ "control-0960", "control-1171", "control-1236", - "control-0258", - "control-0260", - "control-0261", "control-1480", "control-1457", "control-0593", "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1395", + "control-1529", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -425,34 +325,131 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", "control-0141", "control-0140", "control-0125", @@ -470,17 +467,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -492,106 +478,23 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", "control-0663", "control-0661", "control-0665", @@ -603,48 +506,145 @@ "control-0678", "control-0660", "control-0673", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1395", - "control-1529", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_March_2020_OFFICIAL/profile.json index 136d2cd..b0bfea5 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f7b7c8fc-4025-453d-8341-f5c559354d1f", + "uuid": "24b0b6db-0d70-4a53-8ead-8751809549f3", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:21:18.525+00:00", + "last-modified": "2022-04-28T11:45:31.620454+10:00", "version": "March_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,66 +14,21 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-1163", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -90,6 +45,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -105,9 +63,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -118,132 +73,44 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", "control-0648", "control-0610", + "control-0591", + "control-1480", + "control-0593", "control-0258", "control-0260", "control-0261", @@ -258,120 +125,162 @@ "control-0963", "control-0961", "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0405", - "control-1503", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -397,35 +306,150 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -444,17 +468,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -466,158 +479,145 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0405", + "control-1503", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_March_2020_PROTECTED/profile.json index e7001cd..ea7aed2 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "ccd2c178-c043-417a-b2bf-1648444257bc", + "uuid": "a263f0cc-9ff7-4ea7-ab1b-9781f93f4dea", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:21:18.530+00:00", + "last-modified": "2022-04-28T11:45:31.626462+10:00", "version": "March_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,67 +14,21 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-1163", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -91,6 +45,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -106,9 +63,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -119,132 +73,44 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", "control-0648", "control-0610", + "control-0591", + "control-1480", + "control-0593", "control-0258", "control-0260", "control-0261", @@ -259,124 +125,162 @@ "control-0963", "control-0961", "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1462", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -402,35 +306,151 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1462", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -449,17 +469,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -471,158 +480,149 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_March_2020_SECRET/profile.json index 2f40ec0..e66fd9f 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f9d1013f-622c-4f13-8809-b0f4e0aadd2f", + "uuid": "5ddbbd63-63e1-482a-bb5d-9e770f0516a6", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:21:18.534+00:00", + "last-modified": "2022-04-28T11:45:31.630427+10:00", "version": "March_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,21 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-1163", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -93,6 +45,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -108,9 +63,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", @@ -124,121 +76,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -253,6 +124,10 @@ "control-0670", "control-1523", "control-0610", + "control-1480", + "control-1457", + "control-0593", + "control-0594", "control-0258", "control-0260", "control-0261", @@ -267,122 +142,173 @@ "control-0963", "control-0961", "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1395", + "control-1529", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -407,35 +333,131 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -454,17 +476,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -476,170 +487,159 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-1395", - "control-1529", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_March_2020_TOP_SECRET/profile.json index 9e17f67..7001389 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "be433a5f-2a33-470d-8d21-10b512d229d8", + "uuid": "513e92dc-92fc-432c-bfec-7c5b2ce4d5d2", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:21:18.539+00:00", + "last-modified": "2022-04-28T11:45:31.634416+10:00", "version": "March_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,21 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-1163", + "control-0911", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -92,6 +44,9 @@ "control-0372", "control-0373", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -107,9 +62,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-0835", @@ -124,119 +76,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -251,6 +124,10 @@ "control-0670", "control-1523", "control-0610", + "control-1480", + "control-1457", + "control-0593", + "control-0594", "control-0258", "control-0260", "control-0261", @@ -265,215 +142,55 @@ "control-0963", "control-0961", "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-1163", - "control-0911", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", "control-1082", "control-1083", "control-0240", @@ -491,36 +208,43 @@ "control-1088", "control-1300", "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", + "control-0247", "control-1137", "control-0249", "control-0246", @@ -557,95 +281,371 @@ "control-0198", "control-1123", "control-1135", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", "control-1395", "control-1529", "control-0873", "control-0072", "control-1073", "control-1451", - "control-1452" + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", + "control-0141", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2021_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_March_2021_OFFICIAL/profile.json index f2f5ea8..a5f17d0 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2021_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2021_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "5bd1492c-12e4-49d0-8a3f-b98866554bc3", + "uuid": "7cede2da-10b3-4e0c-83c0-1d124f699a5f", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:23.876+00:00", + "last-modified": "2022-04-28T11:43:43.867652+10:00", "version": "March_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,170 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,127 +214,168 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1104", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -589,25 +406,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -625,78 +432,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2021_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_March_2021_PROTECTED/profile.json index 8c87827..9a60757 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2021_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2021_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "aa02adb6-e3e3-4492-bd7d-2e6791ac7be2", + "uuid": "1a66d67c-cdda-47a6-aeb4-8bbc943cc71d", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:23.881+00:00", + "last-modified": "2022-04-28T11:43:43.872637+10:00", "version": "March_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,394 +14,170 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-1629", - "control-0473", - "control-1630", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -438,128 +214,169 @@ "control-1390", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1104", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -590,25 +407,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -626,78 +433,271 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-1629", + "control-0473", + "control-1630", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2021_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_March_2021_SECRET/profile.json index f13e0b4..8e68c31 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2021_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2021_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "2cffce7d-673a-4751-9af2-b0239288a55d", + "uuid": "8177a8bc-1d9c-4412-ad40-32094d6d0f9e", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:23.885+00:00", + "last-modified": "2022-04-28T11:43:43.878621+10:00", "version": "March_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,288 +14,451 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -303,7 +466,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -320,15 +498,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,344 +540,175 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_March_2021_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_March_2021_TOP_SECRET/profile.json index f7ea4c9..e3d1fbb 100644 --- a/ISM_catalog_profile/profiles/ISM_March_2021_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_March_2021_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "0a65ed1f-96b8-48e0-b41f-48867560f48a", + "uuid": "5f135555-1d2e-442d-ad12-9881f16d369e", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:23.901+00:00", + "last-modified": "2022-04-28T11:43:43.882610+10:00", "version": "March_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,286 +14,460 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-0201", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-0218", + "control-1101", + "control-1103", + "control-1100", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0198", + "control-1123", + "control-1135", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -301,7 +475,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -318,15 +507,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -369,353 +549,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-0201", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-0218", - "control-1101", - "control-1103", - "control-1100", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0198", - "control-1123", - "control-1135", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_May_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_May_2020_OFFICIAL/profile.json index b12331e..ddd2c84 100644 --- a/ISM_catalog_profile/profiles/ISM_May_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_May_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "820a7f4d-35ab-42d5-ac22-267b4cbcb771", + "uuid": "2a3b6a1a-1b07-4fb5-be6a-9bca585ae6ac", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:21:09.927+00:00", + "last-modified": "2022-04-28T11:45:12.945940+10:00", "version": "May_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,66 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -90,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -105,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -118,132 +71,44 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", "control-0648", "control-0610", + "control-0591", + "control-1480", + "control-0593", "control-0258", "control-0260", "control-0261", @@ -258,123 +123,162 @@ "control-0963", "control-0961", "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0405", - "control-1503", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -400,33 +304,150 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -445,17 +466,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -467,158 +477,148 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0405", + "control-1503", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_May_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_May_2020_PROTECTED/profile.json index 8a3083e..5f315ad 100644 --- a/ISM_catalog_profile/profiles/ISM_May_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_May_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "8ddd7d01-7d8e-47bb-9fd3-861079793400", + "uuid": "26ae85a9-39a3-4d0f-bbf2-8ee432f1a676", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:21:09.948+00:00", + "last-modified": "2022-04-28T11:45:12.950926+10:00", "version": "May_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,67 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -91,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -106,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -119,132 +71,44 @@ "control-0359", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0643", "control-1157", "control-1158", "control-0648", "control-0610", + "control-0591", + "control-1480", + "control-0593", "control-0258", "control-0260", "control-0261", @@ -259,127 +123,162 @@ "control-0963", "control-0961", "control-1237", - "control-0591", - "control-1480", - "control-0593", - "control-1458", - "control-1431", - "control-1432", - "control-1433", - "control-1434", - "control-1435", - "control-1436", - "control-1518", - "control-1437", - "control-1438", - "control-1439", - "control-1441", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1462", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-1538", - "control-0405", - "control-1503", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-0667", + "control-1294", + "control-1295", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0100", + "control-1395", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -405,33 +304,151 @@ "control-1417", "control-1390", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1458", + "control-1431", + "control-1432", + "control-1433", + "control-1434", + "control-1435", + "control-1436", + "control-1518", + "control-1437", + "control-1438", + "control-1439", + "control-1441", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1462", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -450,17 +467,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -472,158 +478,152 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-0667", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-0100", - "control-1395", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-1538", + "control-0405", + "control-1503", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_May_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_May_2020_SECRET/profile.json index 95bc40e..6cb8a36 100644 --- a/ISM_catalog_profile/profiles/ISM_May_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_May_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "46827f6c-a033-47ee-a8fc-101a30232a97", + "uuid": "41174d57-ef36-4c45-ac09-ba4d452ab6d6", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:21:09.955+00:00", + "last-modified": "2022-04-28T11:45:12.954917+10:00", "version": "May_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -93,6 +43,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -108,9 +61,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", @@ -124,121 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -253,6 +122,10 @@ "control-0670", "control-1523", "control-0610", + "control-1480", + "control-1457", + "control-0593", + "control-0594", "control-0258", "control-0260", "control-0261", @@ -267,125 +140,173 @@ "control-0963", "control-0961", "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1395", + "control-1529", + "control-0873", + "control-0072", + "control-1073", + "control-1451", + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", "control-1407", "control-1408", "control-1409", @@ -410,33 +331,131 @@ "control-1416", "control-1417", "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", "control-0123", "control-0141", "control-0140", @@ -455,17 +474,6 @@ "control-1271", "control-1272", "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", "control-1243", "control-1256", "control-1252", @@ -477,170 +485,162 @@ "control-1275", "control-1276", "control-1278", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", "control-1071", "control-1525", "control-0027", "control-1526", - "control-1395", - "control-1529", - "control-0873", - "control-0072", - "control-1073", - "control-1451", - "control-1452" + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_May_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_May_2020_TOP_SECRET/profile.json index 9b00995..12524dd 100644 --- a/ISM_catalog_profile/profiles/ISM_May_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_May_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f6c719d1-6ee6-4166-8dd1-ee3a31c0abe7", + "uuid": "737e1149-0475-4843-a80a-daf632d17995", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:21:09.961+00:00", + "last-modified": "2022-04-28T11:45:12.958871+10:00", "version": "May_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,69 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1384", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-1539", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0363", "control-0350", "control-1361", @@ -92,6 +42,9 @@ "control-0372", "control-0373", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -107,9 +60,6 @@ "control-0831", "control-1059", "control-0347", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-0835", @@ -124,119 +74,40 @@ "control-0360", "control-0947", "control-1464", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1551", + "control-0293", + "control-0294", + "control-0296", "control-1528", "control-0639", "control-1194", "control-0641", "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", "control-0645", "control-1158", "control-0646", @@ -251,6 +122,10 @@ "control-0670", "control-1523", "control-0610", + "control-1480", + "control-1457", + "control-0593", + "control-0594", "control-0258", "control-0260", "control-0261", @@ -265,216 +140,55 @@ "control-0963", "control-0961", "control-1237", - "control-1480", - "control-1457", - "control-0593", - "control-0594", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1460", - "control-1461", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-0252", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-0975", - "control-0420", - "control-1538", - "control-0405", - "control-1503", - "control-0409", - "control-0411", - "control-0816", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-1545", - "control-0430", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1403", - "control-0431", - "control-0976", - "control-1227", - "control-1055", - "control-0418", - "control-1402", - "control-0428", - "control-0408", - "control-0979", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1491", - "control-1410", - "control-1469", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1487", - "control-1488", - "control-1489", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", "control-1082", "control-1083", "control-0240", @@ -492,37 +206,44 @@ "control-1088", "control-1300", "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0663", + "control-0661", + "control-0665", + "control-0675", + "control-0664", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-0667", + "control-0660", + "control-0673", + "control-1294", + "control-1295", + "control-0247", + "control-1137", "control-0249", "control-0246", "control-0250", @@ -558,95 +279,374 @@ "control-0198", "control-1123", "control-1135", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0663", - "control-0661", - "control-0665", - "control-0675", - "control-0664", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-0667", - "control-0660", - "control-0673", - "control-1294", - "control-1295", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", "control-1395", "control-1529", "control-0873", "control-0072", "control-1073", "control-1451", - "control-1452" + "control-1452", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1487", + "control-1488", + "control-1489", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1491", + "control-1410", + "control-1469", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1403", + "control-0431", + "control-0976", + "control-1227", + "control-1055", + "control-0418", + "control-1402", + "control-0428", + "control-0408", + "control-0979", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1460", + "control-1461", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-0123", + "control-0141", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-0714", + "control-1478", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-1539", + "control-0039", + "control-0047", + "control-0888", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0252", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-0975", + "control-0420", + "control-1538", + "control-0405", + "control-1503", + "control-0409", + "control-0411", + "control-0816", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-1545", + "control-0430", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-0078", + "control-0854", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1384", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_November_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_November_2020_OFFICIAL/profile.json index 78f861f..0288c22 100644 --- a/ISM_catalog_profile/profiles/ISM_November_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_November_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "b38141a0-ea75-42f1-8553-7c9dbc82c510", + "uuid": "f9e92d2a-c3e3-4aee-a3cd-3f1e40e10017", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:42.758+00:00", + "last-modified": "2022-04-28T11:44:19.785692+10:00", "version": "November_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,524 +14,96 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", "control-0248", "control-0932", "control-0246", @@ -565,6 +137,244 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -594,25 +404,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -629,70 +429,270 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_November_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_November_2020_PROTECTED/profile.json index 9f15c71..e717ae2 100644 --- a/ISM_catalog_profile/profiles/ISM_November_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_November_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "a9d2cd66-e296-4d35-b7ca-69f004371d25", + "uuid": "95196874-29d8-44e4-8c2f-65f6fe97a44d", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:42.762+00:00", + "last-modified": "2022-04-28T11:44:19.793670+10:00", "version": "November_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,525 +14,96 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", "control-0248", "control-0932", "control-0246", @@ -566,6 +137,245 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -595,25 +405,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -630,70 +430,270 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_November_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_November_2020_SECRET/profile.json index 670e173..536366b 100644 --- a/ISM_catalog_profile/profiles/ISM_November_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_November_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "25928179-7ff1-4073-8b3e-a7d262f5b190", + "uuid": "2baf5ed6-d8b1-44bb-b133-474e8f96d333", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:42.766+00:00", + "last-modified": "2022-04-28T11:44:19.803643+10:00", "version": "November_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,288 +14,448 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -303,7 +463,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -320,15 +495,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -371,341 +537,175 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_November_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_November_2020_TOP_SECRET/profile.json index 6fd0422..4180c9a 100644 --- a/ISM_catalog_profile/profiles/ISM_November_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_November_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "cfa06b55-07cc-4946-9ebc-c885b5e99469", + "uuid": "0e7cd041-f36e-455d-825b-6a8ddf0ac29e", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:42.770+00:00", + "last-modified": "2022-04-28T11:44:19.811623+10:00", "version": "November_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,286 +14,456 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -301,7 +471,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -318,15 +503,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -369,349 +545,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_October_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_October_2020_OFFICIAL/profile.json index 62f2b01..313bfd4 100644 --- a/ISM_catalog_profile/profiles/ISM_October_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_October_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "26c43541-9d1b-46a4-9d91-9e9a55060717", + "uuid": "56cbc845-9072-4398-bbb9-94a24e86fa37", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:47.498+00:00", + "last-modified": "2022-04-28T11:44:29.551590+10:00", "version": "October_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,250 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0569", "control-0571", "control-0570", @@ -275,229 +44,27 @@ "control-1234", "control-1502", "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", "control-1533", "control-1195", "control-1400", @@ -516,18 +83,27 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", "control-0248", "control-0932", "control-0246", @@ -561,6 +137,240 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -590,25 +400,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -625,6 +425,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -641,9 +444,6 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -653,42 +453,242 @@ "control-0836", "control-0359", "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_October_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_October_2020_PROTECTED/profile.json index 0c1ee9e..3912431 100644 --- a/ISM_catalog_profile/profiles/ISM_October_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_October_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "be52ff43-7960-4dfa-a06a-a185ab9d3123", + "uuid": "2b5b6e17-9334-4b4f-b8c2-240c6f01494d", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:47.503+00:00", + "last-modified": "2022-04-28T11:44:29.557572+10:00", "version": "October_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,250 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0569", "control-0571", "control-0570", @@ -275,230 +44,27 @@ "control-1234", "control-1502", "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", "control-1533", "control-1195", "control-1400", @@ -517,18 +83,27 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", "control-0248", "control-0932", "control-0246", @@ -562,6 +137,241 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -591,25 +401,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -626,6 +426,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -642,9 +445,6 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -654,42 +454,242 @@ "control-0836", "control-0359", "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_October_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_October_2020_SECRET/profile.json index 12a33d3..22dfa8e 100644 --- a/ISM_catalog_profile/profiles/ISM_October_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_October_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f427a6d8-62fa-4c62-8370-4888111d49fc", + "uuid": "bf7cdb06-a5ab-46b2-acb4-da60257694e3", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:47.508+00:00", + "last-modified": "2022-04-28T11:44:29.562558+10:00", "version": "October_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,393 +14,175 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0420", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -436,41 +218,58 @@ "control-1417", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", "control-1460", "control-1604", "control-1605", "control-1606", "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", "control-0123", "control-0141", "control-1433", @@ -485,82 +284,87 @@ "control-0138", "control-0576", "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", "control-0313", "control-1550", "control-0311", @@ -592,33 +396,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -635,6 +421,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -651,57 +440,268 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", "control-0354", "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0420", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-0078", + "control-0854", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_October_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_October_2020_TOP_SECRET/profile.json index 0b5bd0c..adfdd53 100644 --- a/ISM_catalog_profile/profiles/ISM_October_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_October_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f17e0630-82fd-402b-babf-14fd4e1d57ac", + "uuid": "a907e1b3-8b34-4c2e-b433-c328c759f5dd", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:47.513+00:00", + "last-modified": "2022-04-28T11:44:29.566548+10:00", "version": "October_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,284 +14,452 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -299,7 +467,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -316,15 +499,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -367,347 +541,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2020_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_September_2020_OFFICIAL/profile.json index a755440..495a182 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2020_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2020_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "d8864a11-4448-421e-bed1-ce851fa85c88", + "uuid": "d89859dc-18db-4672-bf64-5f873261b8c6", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:52.001+00:00", + "last-modified": "2022-04-28T11:44:38.321414+10:00", "version": "September_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,250 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0569", "control-0571", "control-0570", @@ -275,223 +44,27 @@ "control-1234", "control-1502", "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-1161", - "control-0459", - "control-0455", - "control-0462", - "control-1162", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", "control-1533", "control-1195", "control-1400", @@ -510,24 +83,33 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", - "control-0926", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-0926", "control-0825", "control-0826", "control-1215", @@ -555,6 +137,221 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -584,25 +381,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -619,6 +406,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -635,9 +425,6 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -647,29 +434,242 @@ "control-0836", "control-0359", "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-1161", + "control-0459", + "control-0455", + "control-0462", + "control-1162", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2020_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_September_2020_PROTECTED/profile.json index 4257576..6a79eab 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2020_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2020_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "fc652a38-6f9a-4978-9fd6-056d24ce89fb", + "uuid": "914ac18c-8bb9-4fe7-bce4-9bcdd038868c", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:52.005+00:00", + "last-modified": "2022-04-28T11:44:38.327398+10:00", "version": "September_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,250 +14,19 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", - "control-0280", - "control-0285", - "control-0286", - "control-0289", - "control-0290", - "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", "control-0569", "control-0571", "control-0570", @@ -275,224 +44,27 @@ "control-1234", "control-1502", "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-0471", - "control-0994", - "control-0472", - "control-0473", - "control-1446", - "control-0474", - "control-0475", - "control-0476", - "control-0477", - "control-1054", - "control-0479", - "control-0480", - "control-0501", - "control-0142", - "control-1091", - "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", - "control-0457", - "control-0459", - "control-0455", - "control-0462", - "control-0465", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0405", - "control-1503", - "control-1566", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1559", - "control-1357", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1462", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1058", + "control-0222", "control-1533", "control-1195", "control-1400", @@ -511,23 +83,32 @@ "control-1366", "control-0874", "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0181", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", + "control-0280", + "control-0285", + "control-0286", + "control-0289", + "control-0290", + "control-0292", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", "control-0926", "control-0825", "control-0826", @@ -556,6 +137,222 @@ "control-1106", "control-1107", "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-0100", + "control-1570", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1559", + "control-1357", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1462", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", "control-0313", "control-1550", "control-0311", @@ -585,25 +382,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1058", - "control-0222", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -620,6 +407,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -636,9 +426,6 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0351", "control-1065", @@ -648,29 +435,242 @@ "control-0836", "control-0359", "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-0100", - "control-1570", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-0471", + "control-0994", + "control-0472", + "control-0473", + "control-1446", + "control-0474", + "control-0475", + "control-0476", + "control-0477", + "control-1054", + "control-0479", + "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0501", + "control-0142", + "control-1091", + "control-0505", + "control-0457", + "control-0459", + "control-0455", + "control-0462", + "control-0465", + "control-0481", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0405", + "control-1503", + "control-1566", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2020_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_September_2020_SECRET/profile.json index ae14274..72db7ea 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2020_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2020_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "2193317e-2c2c-4ba8-b25d-482e77b0c2e1", + "uuid": "5e3ada28-7254-40ad-8d14-5a9e801c5fee", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:52.010+00:00", + "last-modified": "2022-04-28T11:44:38.333383+10:00", "version": "September_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,391 +14,175 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0223", + "control-1533", + "control-1195", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", - "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", - "control-0460", - "control-0461", - "control-1080", - "control-0455", - "control-0462", - "control-0467", - "control-0469", - "control-0494", - "control-0496", - "control-1233", - "control-0497", - "control-0498", - "control-0998", - "control-0999", - "control-1000", - "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", - "control-0252", - "control-1565", - "control-0817", - "control-0820", - "control-1146", - "control-0821", - "control-0824", - "control-0432", - "control-0434", - "control-0435", - "control-0414", - "control-0415", - "control-1583", - "control-0975", - "control-0420", - "control-0405", - "control-1503", - "control-1566", - "control-0409", - "control-0411", - "control-1507", - "control-1508", - "control-0445", - "control-1509", - "control-1175", - "control-0448", - "control-0446", - "control-0447", - "control-0430", - "control-1591", - "control-1404", - "control-0407", - "control-0441", - "control-0443", - "control-1610", - "control-1611", - "control-1612", - "control-1613", - "control-1614", - "control-1615", - "control-0078", - "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1560", - "control-1357", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1215", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-1116", + "control-1115", + "control-1104", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-1093", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", "control-1406", "control-1608", "control-1588", @@ -430,41 +214,56 @@ "control-1417", "control-1418", "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1560", + "control-1357", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", "control-1460", "control-1604", "control-1605", "control-1606", "control-1607", "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", + "control-1616", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", "control-0123", "control-0141", "control-1433", @@ -479,82 +278,74 @@ "control-0138", "control-0576", "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-1093", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1215", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-1116", - "control-1115", - "control-1104", - "control-1105", - "control-1106", - "control-1107", - "control-1109", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", "control-0313", "control-1550", "control-0311", @@ -586,33 +377,15 @@ "control-0294", "control-0296", "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0223", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", "control-0363", "control-0350", "control-1361", @@ -629,6 +402,9 @@ "control-0373", "control-0840", "control-0839", + "control-0374", + "control-0375", + "control-0378", "control-1549", "control-1359", "control-0323", @@ -645,44 +421,268 @@ "control-1059", "control-0347", "control-0947", - "control-0374", - "control-0375", - "control-0378", "control-0348", "control-0352", "control-1065", "control-0354", "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", + "control-0460", + "control-0461", + "control-1080", + "control-0455", + "control-0462", + "control-0467", + "control-0469", + "control-0494", + "control-0496", + "control-1233", + "control-0497", + "control-0498", + "control-0998", + "control-0999", + "control-1000", + "control-1001", + "control-0252", + "control-1565", + "control-0817", + "control-0820", + "control-1146", + "control-0821", + "control-0824", + "control-0432", + "control-0434", + "control-0435", + "control-0414", + "control-0415", + "control-1583", + "control-0975", + "control-0420", + "control-0405", + "control-1503", + "control-1566", + "control-0409", + "control-0411", + "control-1507", + "control-1508", + "control-0445", + "control-1509", + "control-1175", + "control-0448", + "control-0446", + "control-0447", + "control-0430", + "control-1591", + "control-1404", + "control-0407", + "control-0441", + "control-0443", + "control-1610", + "control-1611", + "control-1612", + "control-1613", + "control-1614", + "control-1615", + "control-0078", + "control-0854", + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2020_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_September_2020_TOP_SECRET/profile.json index 8e95f42..d648ec2 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2020_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2020_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "af50792c-dd98-4bfd-bbcb-e8a2a0352f14", + "uuid": "f24aa495-65fa-4f50-ac16-0935a12b1faf", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:52.014+00:00", + "last-modified": "2022-04-28T11:44:38.338368+10:00", "version": "September_2020", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,284 +14,433 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1382", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1144", - "control-0940", - "control-1472", - "control-1494", - "control-1495", - "control-1496", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1512", - "control-1513", - "control-1514", - "control-1515", - "control-1516", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0336", + "control-0159", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1543", + "control-0225", + "control-0829", + "control-1058", + "control-0224", + "control-0221", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1319", - "control-1320", - "control-1321", - "control-1322", - "control-1324", - "control-1323", - "control-1325", - "control-1326", - "control-1327", - "control-1330", - "control-1454", - "control-1332", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", - "control-0400", - "control-1419", - "control-1420", - "control-1422", - "control-1238", - "control-0401", - "control-0402", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-0926", + "control-0825", + "control-0826", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-1111", + "control-0189", + "control-0190", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-1101", + "control-1103", + "control-1100", + "control-1116", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1106", + "control-1107", + "control-1109", + "control-0198", + "control-1123", + "control-1135", + "control-0201", + "control-0202", + "control-0203", + "control-0204", + "control-1095", + "control-1096", + "control-0206", + "control-0208", + "control-0211", + "control-0213", + "control-0214", + "control-1094", + "control-0216", + "control-0217", + "control-0218", + "control-1452", + "control-1567", + "control-1568", + "control-1395", + "control-1569", + "control-1570", + "control-1529", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1412", + "control-1484", + "control-1485", + "control-1486", + "control-1541", + "control-1542", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1487", + "control-1488", + "control-1489", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-0846", + "control-0957", + "control-1414", + "control-1492", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1384", + "control-1504", + "control-1505", + "control-1401", + "control-1561", + "control-1357", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-0418", + "control-1597", + "control-1402", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", + "control-0400", + "control-1419", + "control-1420", + "control-1422", + "control-1238", + "control-0401", + "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", - "control-1232", - "control-1468", - "control-0499", - "control-0505", - "control-0506", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1319", + "control-1320", + "control-1321", + "control-1322", + "control-1324", + "control-1323", + "control-1325", + "control-1326", + "control-1327", + "control-1330", + "control-1454", + "control-1332", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1071", + "control-1525", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-0323", + "control-0325", + "control-0331", + "control-0330", + "control-0332", + "control-1600", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0831", + "control-1059", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", "control-1506", "control-0484", "control-0485", @@ -299,7 +448,22 @@ "control-0487", "control-0488", "control-0489", + "control-1232", + "control-1468", "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", + "control-0499", + "control-0505", + "control-0506", "control-0460", "control-0461", "control-1080", @@ -316,15 +480,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -367,328 +522,173 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1384", - "control-1504", - "control-1505", - "control-1401", - "control-1561", - "control-1357", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-0418", - "control-1597", - "control-1402", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-0846", - "control-0957", - "control-1414", - "control-1492", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1412", - "control-1484", - "control-1485", - "control-1486", - "control-1541", - "control-1542", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1487", - "control-1488", - "control-1489", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0201", - "control-0202", - "control-0203", - "control-0204", - "control-1095", - "control-1096", - "control-0206", - "control-0208", - "control-0211", - "control-0213", - "control-0214", - "control-1094", - "control-0216", - "control-0217", - "control-0218", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0181", - "control-0926", - "control-0825", - "control-0826", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-1111", - "control-0189", - "control-0190", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-1101", - "control-1103", - "control-1100", - "control-1116", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1106", - "control-1107", - "control-1109", - "control-0198", - "control-1123", - "control-1135", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0336", - "control-0159", - "control-0161", - "control-1543", - "control-0225", - "control-0829", - "control-1058", - "control-0224", - "control-0221", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-0323", - "control-0325", - "control-0331", - "control-0330", - "control-0332", - "control-1600", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0831", - "control-1059", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1071", - "control-1525", - "control-0027", - "control-1526", - "control-1587", - "control-1452", - "control-1567", - "control-1568", - "control-1395", - "control-1569", - "control-1570", - "control-1529", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1512", + "control-1513", + "control-1514", + "control-1515", + "control-1516", + "control-1211", + "control-0042", + "control-1380", + "control-1382", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1144", + "control-0940", + "control-1472", + "control-1494", + "control-1495", + "control-1496", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2021_OFFICIAL/profile.json b/ISM_catalog_profile/profiles/ISM_September_2021_OFFICIAL/profile.json index 350e7bc..ab5eca8 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2021_OFFICIAL/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2021_OFFICIAL/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f58d7057-1273-44e3-b7f3-b70efc5825d8", + "uuid": "535594ad-f267-4f01-9586-8c50598af7dc", "metadata": { "title": "Australian Government Information Security Manual profile for OFFICIAL", - "last-modified": "2021-11-04T01:20:09.946+00:00", + "last-modified": "2022-04-28T11:43:22.300895+10:00", "version": "September_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,188 +14,270 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1687", - "control-1688", - "control-1689", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1643", - "control-1690", - "control-1691", - "control-1692", - "control-1693", - "control-1694", - "control-1695", - "control-1696", - "control-1697", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-1698", - "control-1699", - "control-1700", - "control-1701", - "control-1702", - "control-1703", - "control-1704", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1705", - "control-1706", - "control-1707", - "control-1708", - "control-1515", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1709", - "control-1710", - "control-1319", - "control-1320", - "control-1332", - "control-1321", - "control-1711", - "control-1322", - "control-1324", - "control-1323", - "control-1327", - "control-1330", - "control-1712", - "control-1454", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1559", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", "control-0400", "control-1419", "control-1420", @@ -204,103 +286,218 @@ "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0336", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-1713", + "control-0323", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", "control-0471", "control-0994", "control-0472", @@ -314,24 +511,27 @@ "control-0477", "control-0479", "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", "control-0501", "control-0142", "control-1091", "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", "control-1161", "control-0459", "control-0455", "control-0462", "control-1162", + "control-0481", "control-0494", "control-0496", "control-1233", @@ -341,15 +541,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -389,362 +580,171 @@ "control-1613", "control-1614", "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1679", - "control-1680", - "control-1681", - "control-1505", - "control-1401", - "control-1682", - "control-1559", - "control-1357", - "control-1683", - "control-1684", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-1685", - "control-0418", - "control-1597", - "control-1402", - "control-1686", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1654", - "control-1655", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-1656", - "control-1657", - "control-1658", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-1659", - "control-0846", - "control-1660", - "control-1661", - "control-1662", - "control-0957", - "control-1663", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1664", - "control-1665", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1486", - "control-1485", - "control-1666", - "control-1667", - "control-1668", - "control-1669", - "control-1542", - "control-1670", - "control-1412", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1671", - "control-1488", - "control-1672", - "control-1673", - "control-1674", - "control-1487", - "control-1675", - "control-1676", - "control-1489", - "control-1677", - "control-1678", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1644", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-1645", - "control-1646", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1104", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0336", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0161", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-1713", - "control-0323", - "control-0325", - "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-1211", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2021_PROTECTED/profile.json b/ISM_catalog_profile/profiles/ISM_September_2021_PROTECTED/profile.json index 7135c4a..b891383 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2021_PROTECTED/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2021_PROTECTED/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "f4f1cf21-049d-48e3-81f6-0a3730d19ac6", + "uuid": "85a8f3c3-221a-45ec-8b6e-cb01e111680d", "metadata": { "title": "Australian Government Information Security Manual profile for PROTECTED", - "last-modified": "2021-11-04T01:20:09.951+00:00", + "last-modified": "2022-04-28T11:43:22.306863+10:00", "version": "September_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,188 +14,270 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1687", - "control-1688", - "control-1689", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1643", - "control-1690", - "control-1691", - "control-1692", - "control-1693", - "control-1694", - "control-1695", - "control-1696", - "control-1697", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-1698", - "control-1699", - "control-1700", - "control-1701", - "control-1702", - "control-1703", - "control-1704", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1705", - "control-1706", - "control-1707", - "control-1708", - "control-1515", - "control-1528", - "control-0639", - "control-1194", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0643", - "control-1157", - "control-1158", - "control-0648", - "control-0659", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-1293", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-0591", - "control-1480", - "control-0593", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-0164", + "control-1533", + "control-1195", + "control-1400", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-1202", + "control-1196", + "control-1200", + "control-1198", + "control-1199", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0874", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1437", - "control-1578", - "control-1579", - "control-1580", - "control-1441", - "control-1581", - "control-1438", - "control-1439", - "control-1431", - "control-1458", - "control-1432", - "control-1435", - "control-1436", - "control-1518", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1709", - "control-1710", - "control-1319", - "control-1320", - "control-1332", - "control-1321", - "control-1711", - "control-1322", - "control-1324", - "control-1323", - "control-1327", - "control-1330", - "control-1712", - "control-1454", - "control-1334", - "control-1335", - "control-1338", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", + "control-0248", + "control-0932", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1104", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-0100", + "control-1637", + "control-1638", + "control-1570", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1390", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1559", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0421", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", "control-0400", "control-1419", "control-1420", @@ -204,103 +286,218 @@ "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0236", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", - "control-1139", - "control-1369", - "control-1370", - "control-1372", - "control-1448", - "control-1373", - "control-1374", - "control-1375", - "control-1553", - "control-1453", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1437", + "control-1578", + "control-1579", + "control-1580", + "control-1441", + "control-1581", + "control-1438", + "control-1439", + "control-1431", + "control-1458", + "control-1432", + "control-1435", + "control-1436", + "control-1518", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0657", + "control-1187", + "control-1586", + "control-1294", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0336", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-1713", + "control-0323", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0351", + "control-1065", + "control-0354", + "control-1067", + "control-0357", + "control-0836", + "control-0359", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", "control-0471", "control-0994", "control-0472", @@ -314,24 +511,27 @@ "control-0477", "control-0479", "control-0480", + "control-0490", + "control-1139", + "control-1369", + "control-1370", + "control-1372", + "control-1448", + "control-1373", + "control-1374", + "control-1375", + "control-1553", + "control-1453", "control-0501", "control-0142", "control-1091", "control-0505", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0481", - "control-0490", "control-0457", "control-0459", "control-0455", "control-0462", "control-0465", + "control-0481", "control-0494", "control-0496", "control-1233", @@ -341,15 +541,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -389,362 +580,171 @@ "control-1613", "control-1614", "control-1615", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1679", - "control-1680", - "control-1681", - "control-1505", - "control-1401", - "control-1682", - "control-1559", - "control-1357", - "control-1683", - "control-1684", - "control-0417", - "control-0421", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-1685", - "control-0418", - "control-1597", - "control-1402", - "control-1686", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1654", - "control-1655", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-1656", - "control-1657", - "control-1658", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-1659", - "control-0846", - "control-1660", - "control-1661", - "control-1662", - "control-0957", - "control-1663", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1664", - "control-1665", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1390", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1486", - "control-1485", - "control-1666", - "control-1667", - "control-1668", - "control-1669", - "control-1542", - "control-1670", - "control-1412", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1671", - "control-1488", - "control-1672", - "control-1673", - "control-1674", - "control-1487", - "control-1675", - "control-1676", - "control-1489", - "control-1677", - "control-1678", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1644", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-1400", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-1202", - "control-1196", - "control-1200", - "control-1198", - "control-1199", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0874", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-1645", - "control-1646", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1104", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0248", - "control-0932", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0336", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0161", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-0164", - "control-0663", - "control-0661", - "control-0657", - "control-1187", - "control-1586", - "control-1294", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-1713", - "control-0323", - "control-0325", - "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0351", - "control-1065", - "control-0354", - "control-1067", - "control-0357", - "control-0836", - "control-0359", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-0100", - "control-1637", - "control-1638", - "control-1570", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0643", + "control-1157", + "control-1158", + "control-0648", + "control-0659", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-1293", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-0591", + "control-1480", + "control-0593", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0236", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-1211", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2021_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_September_2021_SECRET/profile.json index 8a0181f..38ef5df 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2021_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2021_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "fcf820b1-d91f-4b3d-8c4f-87fb30313396", + "uuid": "49ab41e3-fe6c-49d0-a002-a3698494bed9", "metadata": { "title": "Australian Government Information Security Manual profile for SECRET", - "last-modified": "2021-11-04T01:20:09.955+00:00", + "last-modified": "2022-04-28T11:43:22.312854+10:00", "version": "September_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,191 +14,273 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1687", - "control-1688", - "control-1689", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1643", - "control-1690", - "control-1691", - "control-1692", - "control-1693", - "control-1694", - "control-1695", - "control-1696", - "control-1697", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-1698", - "control-1699", - "control-1700", - "control-1701", - "control-1702", - "control-1703", - "control-1704", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1705", - "control-1706", - "control-1707", - "control-1708", - "control-1515", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-1543", + "control-0225", + "control-0829", + "control-0164", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1709", - "control-1710", - "control-1319", - "control-1320", - "control-1332", - "control-1321", - "control-1711", - "control-1322", - "control-1324", - "control-1323", - "control-1327", - "control-1330", - "control-1712", - "control-1454", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", + "control-0247", + "control-0248", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1216", + "control-1112", + "control-1118", + "control-1119", + "control-1126", + "control-0184", + "control-0187", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-1115", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-1102", + "control-1101", + "control-1103", + "control-1098", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1560", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-1557", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", "control-0400", "control-1419", "control-1420", @@ -207,94 +289,218 @@ "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-0559", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0931", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0336", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0840", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-1713", + "control-0323", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", "control-1139", "control-1369", "control-1370", @@ -305,19 +511,9 @@ "control-1375", "control-1553", "control-1453", - "control-1232", - "control-1468", "control-0499", "control-0505", "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", "control-0460", "control-0461", "control-1080", @@ -334,15 +530,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -390,374 +577,187 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1679", - "control-1680", - "control-1681", - "control-1505", - "control-1401", - "control-1682", - "control-1560", - "control-1357", - "control-1683", - "control-1684", - "control-0417", - "control-1557", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-1685", - "control-0418", - "control-1597", - "control-1402", - "control-1686", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1654", - "control-1655", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-1656", - "control-1657", - "control-1658", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-1659", - "control-0846", - "control-1660", - "control-1661", - "control-1662", - "control-0957", - "control-1663", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1664", - "control-1665", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1486", - "control-1485", - "control-1666", - "control-1667", - "control-1668", - "control-1669", - "control-1542", - "control-1670", - "control-1412", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1671", - "control-1488", - "control-1672", - "control-1673", - "control-1674", - "control-1487", - "control-1675", - "control-1676", - "control-1489", - "control-1677", - "control-1678", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-1644", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-1645", - "control-1646", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1216", - "control-1112", - "control-1118", - "control-1119", - "control-1126", - "control-0184", - "control-0187", - "control-0189", - "control-1114", - "control-1130", - "control-1164", - "control-1115", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-1102", - "control-1101", - "control-1103", - "control-1098", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0247", - "control-0248", - "control-0249", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0336", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0161", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-1543", - "control-0225", - "control-0829", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0840", - "control-0839", - "control-1549", - "control-1359", - "control-1713", - "control-0323", - "control-0325", - "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-0559", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0931", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-1211", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/profiles/ISM_September_2021_TOP_SECRET/profile.json b/ISM_catalog_profile/profiles/ISM_September_2021_TOP_SECRET/profile.json index 703a6ad..fb11e49 100644 --- a/ISM_catalog_profile/profiles/ISM_September_2021_TOP_SECRET/profile.json +++ b/ISM_catalog_profile/profiles/ISM_September_2021_TOP_SECRET/profile.json @@ -1,9 +1,9 @@ { "profile": { - "uuid": "29d292ac-0d9c-444c-8001-f4fe0e7c2352", + "uuid": "9764a403-3924-4a00-afef-7117d226f48b", "metadata": { "title": "Australian Government Information Security Manual profile for TOP_SECRET", - "last-modified": "2021-11-04T01:20:09.960+00:00", + "last-modified": "2022-04-28T11:43:22.317841+10:00", "version": "September_2021", "oscal-version": "1.0.0", "remarks": "This is not an official version of the Australian Government Information Security Manual.\n\nFind the official versions here: https://www.cyber.gov.au/acsc/view-all-content/ism\nThis content was generated using scrips/ISM/ISM.py" @@ -14,191 +14,280 @@ "include-controls": [ { "with-ids": [ - "control-0042", - "control-1380", - "control-1687", - "control-1688", - "control-1689", - "control-1381", - "control-1383", - "control-1385", - "control-1386", - "control-1387", - "control-1388", - "control-1211", - "control-1143", - "control-1493", - "control-1643", - "control-1690", - "control-1691", - "control-1692", - "control-1693", - "control-1694", - "control-1695", - "control-1696", - "control-1697", - "control-0300", - "control-0298", - "control-0303", - "control-1497", - "control-1498", - "control-1499", - "control-1500", - "control-1698", - "control-1699", - "control-1700", - "control-1701", - "control-1702", - "control-1703", - "control-1704", - "control-0304", - "control-1501", - "control-1510", - "control-1547", - "control-1548", - "control-1511", - "control-1705", - "control-1706", - "control-1707", - "control-1708", - "control-1515", - "control-1528", - "control-0639", - "control-1194", - "control-0641", - "control-0642", - "control-0628", - "control-1192", - "control-0631", - "control-1427", - "control-0634", - "control-0637", - "control-1037", - "control-0611", - "control-0612", - "control-1520", - "control-0613", - "control-0616", - "control-0629", - "control-0607", - "control-0619", - "control-0620", - "control-1039", - "control-0622", - "control-0645", - "control-1158", - "control-0646", - "control-0647", - "control-0648", - "control-0659", - "control-1524", - "control-0651", - "control-0652", - "control-1389", - "control-1284", - "control-1286", - "control-1287", - "control-1288", - "control-1289", - "control-1290", - "control-1291", - "control-0649", - "control-1292", - "control-0677", - "control-1293", - "control-0626", - "control-0597", - "control-0627", - "control-0635", - "control-1521", - "control-1522", - "control-0670", - "control-1523", - "control-0610", - "control-0963", - "control-0961", - "control-1237", - "control-0263", - "control-0996", - "control-0958", - "control-1170", - "control-0959", - "control-0960", - "control-1171", - "control-1236", - "control-0258", - "control-0260", - "control-0261", - "control-1480", - "control-1457", - "control-0593", - "control-0594", + "control-0580", + "control-1405", + "control-0988", + "control-0584", + "control-0582", + "control-1536", + "control-1537", + "control-0585", + "control-0586", + "control-0859", + "control-0991", + "control-0109", + "control-1228", + "control-0569", + "control-0571", + "control-0570", + "control-0567", + "control-0572", + "control-1589", + "control-0574", + "control-1183", + "control-1151", + "control-1152", + "control-0861", + "control-1026", + "control-1027", + "control-1540", + "control-1234", + "control-1502", + "control-1024", + "control-0264", + "control-0267", + "control-0270", + "control-0271", + "control-0272", + "control-1089", + "control-0565", + "control-1023", + "control-0269", + "control-0161", + "control-0810", + "control-1053", + "control-1530", + "control-0813", + "control-1074", + "control-0157", + "control-1296", + "control-1543", + "control-0225", + "control-0829", + "control-0164", + "control-1533", + "control-1195", + "control-0687", + "control-0694", + "control-1297", + "control-1482", + "control-0869", + "control-1085", + "control-0682", + "control-0863", + "control-0864", + "control-1365", + "control-1366", + "control-0705", + "control-1082", + "control-1083", + "control-0240", + "control-0866", + "control-1145", + "control-1644", + "control-0871", + "control-0870", + "control-1084", + "control-0701", + "control-0702", + "control-1298", + "control-1554", + "control-1555", + "control-1299", + "control-1088", + "control-1300", + "control-1556", "control-0280", "control-0285", "control-0286", "control-0289", "control-0290", "control-0292", - "control-1314", - "control-0536", - "control-1315", - "control-1316", - "control-1317", - "control-1318", - "control-1709", - "control-1710", - "control-1319", - "control-1320", - "control-1332", - "control-1321", - "control-1711", - "control-1322", - "control-1324", - "control-1323", - "control-1327", - "control-1330", - "control-1712", - "control-1454", - "control-1334", - "control-1335", - "control-1338", - "control-1013", - "control-0516", - "control-0518", - "control-1178", - "control-1181", - "control-1577", - "control-1532", - "control-0529", - "control-1364", - "control-0535", - "control-0530", - "control-0521", - "control-1186", - "control-1428", - "control-1429", - "control-1430", - "control-0520", - "control-1182", - "control-1301", - "control-1304", - "control-0534", - "control-0385", - "control-1479", - "control-1006", - "control-1311", - "control-1312", - "control-1028", - "control-1030", - "control-1185", - "control-1627", - "control-1628", - "control-1239", - "control-1552", - "control-1240", - "control-1241", - "control-1424", - "control-0971", + "control-0247", + "control-1137", + "control-0249", + "control-0246", + "control-0250", + "control-0181", + "control-1111", + "control-0211", + "control-0208", + "control-1645", + "control-1646", + "control-0206", + "control-1096", + "control-1639", + "control-1640", + "control-0926", + "control-1216", + "control-1112", + "control-1119", + "control-0184", + "control-0187", + "control-0189", + "control-1114", + "control-1130", + "control-1164", + "control-0195", + "control-0194", + "control-0201", + "control-1115", + "control-1133", + "control-1122", + "control-1134", + "control-1105", + "control-1095", + "control-1107", + "control-1109", + "control-0218", + "control-1101", + "control-1103", + "control-1100", + "control-0213", + "control-1116", + "control-0216", + "control-0217", + "control-0198", + "control-1123", + "control-1135", + "control-1631", + "control-1452", + "control-1567", + "control-1568", + "control-1632", + "control-1569", + "control-1637", + "control-1638", + "control-1570", + "control-1529", + "control-1395", + "control-0072", + "control-1571", + "control-1451", + "control-1572", + "control-1573", + "control-1574", + "control-1575", + "control-1073", + "control-1576", + "control-0938", + "control-1467", + "control-1483", + "control-1486", + "control-1485", + "control-1666", + "control-1667", + "control-1668", + "control-1669", + "control-1542", + "control-1670", + "control-1412", + "control-1470", + "control-1235", + "control-1601", + "control-1585", + "control-1671", + "control-1488", + "control-1672", + "control-1673", + "control-1674", + "control-1487", + "control-1675", + "control-1676", + "control-1489", + "control-1677", + "control-1678", + "control-1406", + "control-1608", + "control-1588", + "control-1407", + "control-1408", + "control-1409", + "control-0383", + "control-0380", + "control-1654", + "control-1655", + "control-1584", + "control-1491", + "control-1410", + "control-1469", + "control-1592", + "control-0382", + "control-0843", + "control-1490", + "control-1656", + "control-1657", + "control-1658", + "control-0955", + "control-1582", + "control-1471", + "control-1392", + "control-1544", + "control-1659", + "control-0846", + "control-1660", + "control-1661", + "control-1662", + "control-0957", + "control-1663", + "control-1492", + "control-1621", + "control-1622", + "control-1623", + "control-1624", + "control-1664", + "control-1665", + "control-1341", + "control-1034", + "control-1416", + "control-1417", + "control-1418", + "control-0345", + "control-1546", + "control-0974", + "control-1173", + "control-1504", + "control-1679", + "control-1680", + "control-1681", + "control-1505", + "control-1401", + "control-1682", + "control-1561", + "control-1357", + "control-1683", + "control-1684", + "control-0417", + "control-0422", + "control-1558", + "control-1596", + "control-1227", + "control-1593", + "control-1594", + "control-1595", + "control-1619", + "control-1403", + "control-0431", + "control-0976", + "control-1603", + "control-1055", + "control-1620", + "control-1685", + "control-0418", + "control-1597", + "control-1402", + "control-1686", + "control-1590", + "control-0853", + "control-0428", + "control-0408", + "control-0979", + "control-1460", + "control-1604", + "control-1605", + "control-1606", + "control-1607", + "control-1461", "control-0400", "control-1419", "control-1420", @@ -207,92 +296,218 @@ "control-0401", "control-0402", "control-1616", - "control-1562", - "control-0546", - "control-0547", - "control-0548", - "control-0554", - "control-0553", - "control-0555", - "control-0551", - "control-1014", - "control-0549", - "control-0556", - "control-1015", - "control-0558", - "control-1450", - "control-1019", - "control-1078", - "control-0229", - "control-0230", - "control-0231", - "control-0232", - "control-0233", - "control-0235", - "control-0237", - "control-0588", - "control-1092", - "control-0241", - "control-1075", - "control-0590", - "control-0245", - "control-0589", - "control-1036", - "control-1425", - "control-1269", - "control-1277", - "control-1270", - "control-1271", - "control-1272", - "control-1273", - "control-1245", - "control-1246", - "control-1247", - "control-1249", - "control-1250", - "control-1251", - "control-1260", - "control-1262", - "control-1261", - "control-1263", - "control-1264", - "control-1243", - "control-1256", - "control-1252", - "control-0393", - "control-1255", - "control-1268", - "control-1258", - "control-1274", - "control-1275", - "control-1276", - "control-1278", - "control-0264", - "control-0267", - "control-0270", - "control-0271", - "control-0272", - "control-1089", - "control-0565", - "control-1023", - "control-0269", - "control-0569", - "control-0571", - "control-0570", - "control-0567", - "control-0572", - "control-1589", - "control-0574", - "control-1183", - "control-1151", - "control-1152", - "control-0861", - "control-1026", - "control-1027", - "control-1540", - "control-1234", - "control-1502", - "control-1024", + "control-1239", + "control-1552", + "control-1240", + "control-1241", + "control-1424", + "control-0971", + "control-0123", + "control-0141", + "control-1433", + "control-1434", + "control-0140", + "control-0125", + "control-0133", + "control-0917", + "control-0137", + "control-1609", + "control-1213", + "control-0138", + "control-0576", + "control-1625", + "control-1626", + "control-0120", + "control-1314", + "control-0536", + "control-1315", + "control-1316", + "control-1317", + "control-1318", + "control-1709", + "control-1710", + "control-1319", + "control-1320", + "control-1332", + "control-1321", + "control-1711", + "control-1322", + "control-1324", + "control-1323", + "control-1327", + "control-1330", + "control-1712", + "control-1454", + "control-1334", + "control-1335", + "control-1338", + "control-1013", + "control-0516", + "control-0518", + "control-1178", + "control-1181", + "control-1577", + "control-1532", + "control-0529", + "control-1364", + "control-0535", + "control-0530", + "control-0521", + "control-1186", + "control-1428", + "control-1429", + "control-1430", + "control-0520", + "control-1182", + "control-1301", + "control-1304", + "control-0534", + "control-0385", + "control-1479", + "control-1006", + "control-1311", + "control-1312", + "control-1028", + "control-1030", + "control-1185", + "control-1627", + "control-1628", + "control-1071", + "control-1525", + "control-1633", + "control-1634", + "control-1635", + "control-1636", + "control-0027", + "control-1526", + "control-1587", + "control-0714", + "control-1478", + "control-1617", + "control-0724", + "control-0725", + "control-0726", + "control-0718", + "control-0733", + "control-1618", + "control-0734", + "control-0720", + "control-0731", + "control-0732", + "control-0717", + "control-0735", + "control-0663", + "control-0661", + "control-0665", + "control-0664", + "control-0675", + "control-0658", + "control-0669", + "control-1535", + "control-0678", + "control-1586", + "control-0660", + "control-0313", + "control-1550", + "control-0311", + "control-1217", + "control-0316", + "control-0315", + "control-0321", + "control-1218", + "control-0312", + "control-0317", + "control-1219", + "control-1220", + "control-1221", + "control-0318", + "control-1534", + "control-1076", + "control-1222", + "control-1223", + "control-1225", + "control-1226", + "control-1079", + "control-0305", + "control-0307", + "control-0306", + "control-0310", + "control-0944", + "control-1598", + "control-1551", + "control-0336", + "control-0293", + "control-0294", + "control-0296", + "control-1599", + "control-0039", + "control-0047", + "control-0888", + "control-1602", + "control-0041", + "control-0043", + "control-1163", + "control-1563", + "control-1564", + "control-0363", + "control-0350", + "control-1361", + "control-1160", + "control-1517", + "control-0366", + "control-0368", + "control-0361", + "control-0838", + "control-0362", + "control-1641", + "control-0370", + "control-0371", + "control-0372", + "control-0373", + "control-0839", + "control-0374", + "control-0375", + "control-0378", + "control-1549", + "control-1359", + "control-1713", + "control-0323", + "control-0325", + "control-0330", + "control-0831", + "control-1059", + "control-0332", + "control-1600", + "control-1642", + "control-0337", + "control-0341", + "control-0342", + "control-0343", + "control-0347", + "control-0947", + "control-0348", + "control-0352", + "control-0835", + "control-1065", + "control-0354", + "control-1067", + "control-0356", + "control-0357", + "control-0836", + "control-0358", + "control-0359", + "control-0360", + "control-1464", + "control-1506", + "control-0484", + "control-0485", + "control-1449", + "control-0487", + "control-0488", + "control-0489", + "control-1232", + "control-1468", + "control-0490", "control-1139", "control-1369", "control-1370", @@ -303,19 +518,9 @@ "control-1375", "control-1553", "control-1453", - "control-1232", - "control-1468", "control-0499", "control-0505", "control-0506", - "control-1506", - "control-0484", - "control-0485", - "control-1449", - "control-0487", - "control-0488", - "control-0489", - "control-0490", "control-0460", "control-0461", "control-1080", @@ -332,15 +537,6 @@ "control-0999", "control-1000", "control-1001", - "control-0041", - "control-0043", - "control-1163", - "control-1563", - "control-1564", - "control-0039", - "control-0047", - "control-0888", - "control-1602", "control-0252", "control-1565", "control-0817", @@ -388,381 +584,185 @@ "control-1615", "control-0078", "control-0854", - "control-1546", - "control-0974", - "control-1173", - "control-1504", - "control-1679", - "control-1680", - "control-1681", - "control-1505", - "control-1401", - "control-1682", - "control-1561", - "control-1357", - "control-1683", - "control-1684", - "control-0417", - "control-0422", - "control-1558", - "control-1596", - "control-1227", - "control-1593", - "control-1594", - "control-1595", - "control-1619", - "control-1403", - "control-0431", - "control-0976", - "control-1603", - "control-1055", - "control-1620", - "control-1685", - "control-0418", - "control-1597", - "control-1402", - "control-1686", - "control-1590", - "control-0853", - "control-0428", - "control-0408", - "control-0979", - "control-1406", - "control-1608", - "control-1588", - "control-1407", - "control-1408", - "control-1409", - "control-0383", - "control-0380", - "control-1654", - "control-1655", - "control-1584", - "control-1491", - "control-1410", - "control-1469", - "control-1592", - "control-0382", - "control-0843", - "control-1490", - "control-1656", - "control-1657", - "control-1658", - "control-0955", - "control-1582", - "control-1471", - "control-1392", - "control-1544", - "control-1659", - "control-0846", - "control-1660", - "control-1661", - "control-1662", - "control-0957", - "control-1663", - "control-1492", - "control-1621", - "control-1622", - "control-1623", - "control-1624", - "control-1664", - "control-1665", - "control-1341", - "control-1034", - "control-1416", - "control-1417", - "control-1418", - "control-0345", - "control-0938", - "control-1467", - "control-1483", - "control-1486", - "control-1485", - "control-1666", - "control-1667", - "control-1668", - "control-1669", - "control-1542", - "control-1670", - "control-1412", - "control-1470", - "control-1235", - "control-1601", - "control-1585", - "control-1671", - "control-1488", - "control-1672", - "control-1673", - "control-1674", - "control-1487", - "control-1675", - "control-1676", - "control-1489", - "control-1677", - "control-1678", - "control-1460", - "control-1604", - "control-1605", - "control-1606", - "control-1607", - "control-1461", - "control-0580", - "control-1405", - "control-0988", - "control-0584", - "control-0582", - "control-1536", - "control-1537", - "control-0585", - "control-0586", - "control-0859", - "control-0991", - "control-0109", - "control-1228", - "control-0123", - "control-0141", - "control-1433", - "control-1434", - "control-0140", - "control-0125", - "control-0133", - "control-0917", - "control-0137", - "control-1609", - "control-1213", - "control-0138", - "control-0576", - "control-1625", - "control-1626", - "control-0120", - "control-1082", - "control-1083", - "control-0240", - "control-0866", - "control-1145", - "control-1644", - "control-0871", - "control-0870", - "control-1084", - "control-0701", - "control-0702", - "control-1298", - "control-1554", - "control-1555", - "control-1299", - "control-1088", - "control-1300", - "control-1556", - "control-1533", - "control-1195", - "control-0687", - "control-0694", - "control-1297", - "control-1482", - "control-0869", - "control-1085", - "control-0682", - "control-0863", - "control-0864", - "control-1365", - "control-1366", - "control-0705", - "control-0181", - "control-1111", - "control-0211", - "control-0208", - "control-1645", - "control-1646", - "control-0206", - "control-1096", - "control-1639", - "control-1640", - "control-0926", - "control-1216", - "control-1112", - "control-1119", - "control-0184", - "control-0187", - "control-0189", - "control-1114", - "control-1130", - "control-1164", - "control-0195", - "control-0194", - "control-0201", - "control-1115", - "control-1133", - "control-1122", - "control-1134", - "control-1105", - "control-1095", - "control-1107", - "control-1109", - "control-0218", - "control-1101", - "control-1103", - "control-1100", - "control-0213", - "control-1116", - "control-0216", - "control-0217", - "control-0198", - "control-1123", - "control-1135", - "control-0247", - "control-1137", - "control-0249", - "control-0246", - "control-0250", - "control-0313", - "control-1550", - "control-0311", - "control-1217", - "control-0316", - "control-0315", - "control-0321", - "control-1218", - "control-0312", - "control-0317", - "control-1219", - "control-1220", - "control-1221", - "control-0318", - "control-1534", - "control-1076", - "control-1222", - "control-1223", - "control-1225", - "control-1226", - "control-1079", - "control-0305", - "control-0307", - "control-0306", - "control-0310", - "control-0944", - "control-1598", - "control-1551", - "control-0336", - "control-0293", - "control-0294", - "control-0296", - "control-1599", - "control-0161", - "control-0810", - "control-1053", - "control-1530", - "control-0813", - "control-1074", - "control-0157", - "control-1296", - "control-1543", - "control-0225", - "control-0829", - "control-0164", - "control-0663", - "control-0661", - "control-0665", - "control-0664", - "control-0675", - "control-0658", - "control-0669", - "control-1535", - "control-0678", - "control-1586", - "control-0660", - "control-0363", - "control-0350", - "control-1361", - "control-1160", - "control-1517", - "control-0366", - "control-0368", - "control-0361", - "control-0838", - "control-0362", - "control-1641", - "control-0370", - "control-0371", - "control-0372", - "control-0373", - "control-0839", - "control-1549", - "control-1359", - "control-1713", - "control-0323", - "control-0325", - "control-0330", - "control-0831", - "control-1059", - "control-0332", - "control-1600", - "control-1642", - "control-0337", - "control-0341", - "control-0342", - "control-0343", - "control-0347", - "control-0947", - "control-0374", - "control-0375", - "control-0378", - "control-0348", - "control-0352", - "control-0835", - "control-1065", - "control-0354", - "control-1067", - "control-0356", - "control-0357", - "control-0836", - "control-0358", - "control-0359", - "control-0360", - "control-1464", - "control-0714", - "control-1478", - "control-1617", - "control-0724", - "control-0725", - "control-0726", - "control-0718", - "control-0733", - "control-1618", - "control-0734", - "control-0720", - "control-0731", - "control-0732", - "control-0717", - "control-0735", - "control-1071", - "control-1525", - "control-1633", - "control-1634", - "control-1635", - "control-1636", - "control-0027", - "control-1526", - "control-1587", - "control-1631", - "control-1452", - "control-1567", - "control-1568", - "control-1632", - "control-1569", - "control-1637", - "control-1638", - "control-1570", - "control-1529", - "control-1395", - "control-0072", - "control-1571", - "control-1451", - "control-1572", - "control-1573", - "control-1574", - "control-1575", - "control-1073", - "control-1576" + "control-1425", + "control-1269", + "control-1277", + "control-1270", + "control-1271", + "control-1272", + "control-1273", + "control-1243", + "control-1256", + "control-1252", + "control-0393", + "control-1255", + "control-1268", + "control-1258", + "control-1274", + "control-1275", + "control-1276", + "control-1278", + "control-1245", + "control-1246", + "control-1247", + "control-1249", + "control-1250", + "control-1251", + "control-1260", + "control-1262", + "control-1261", + "control-1263", + "control-1264", + "control-1528", + "control-0639", + "control-1194", + "control-0641", + "control-0642", + "control-0645", + "control-1158", + "control-0646", + "control-0647", + "control-0648", + "control-0659", + "control-1524", + "control-0651", + "control-0652", + "control-1389", + "control-1284", + "control-1286", + "control-1287", + "control-1288", + "control-1289", + "control-1290", + "control-1291", + "control-0649", + "control-1292", + "control-0677", + "control-1293", + "control-0626", + "control-0597", + "control-0627", + "control-0635", + "control-1521", + "control-1522", + "control-0670", + "control-1523", + "control-0610", + "control-0258", + "control-0260", + "control-0261", + "control-0963", + "control-0961", + "control-1237", + "control-0263", + "control-0996", + "control-0958", + "control-1170", + "control-0959", + "control-0960", + "control-1171", + "control-1236", + "control-1480", + "control-1457", + "control-0593", + "control-0594", + "control-0628", + "control-1192", + "control-0631", + "control-1427", + "control-0634", + "control-0637", + "control-1037", + "control-0611", + "control-0612", + "control-1520", + "control-0613", + "control-0616", + "control-0629", + "control-0607", + "control-0619", + "control-0620", + "control-1039", + "control-0622", + "control-1562", + "control-0546", + "control-0547", + "control-0548", + "control-0554", + "control-0553", + "control-0555", + "control-0551", + "control-1014", + "control-0549", + "control-0556", + "control-1015", + "control-0558", + "control-1450", + "control-1019", + "control-1078", + "control-0229", + "control-0230", + "control-0231", + "control-0232", + "control-0233", + "control-0235", + "control-0237", + "control-0588", + "control-1092", + "control-0241", + "control-1075", + "control-0590", + "control-0245", + "control-0589", + "control-1036", + "control-1510", + "control-1547", + "control-1548", + "control-1511", + "control-1705", + "control-1706", + "control-1707", + "control-1708", + "control-1515", + "control-1211", + "control-0042", + "control-1380", + "control-1687", + "control-1688", + "control-1689", + "control-1381", + "control-1383", + "control-1385", + "control-1386", + "control-1387", + "control-1388", + "control-1143", + "control-1493", + "control-1643", + "control-1690", + "control-1691", + "control-1692", + "control-1693", + "control-1694", + "control-1695", + "control-1696", + "control-1697", + "control-0300", + "control-0298", + "control-0303", + "control-1497", + "control-1498", + "control-1499", + "control-1500", + "control-1698", + "control-1699", + "control-1700", + "control-1701", + "control-1702", + "control-1703", + "control-1704", + "control-0304", + "control-1501" ] } ] diff --git a/ISM_catalog_profile/scripts/ISM/ISM.py b/ISM_catalog_profile/scripts/ISM/ISM.py index 4a914cd..310deeb 100755 --- a/ISM_catalog_profile/scripts/ISM/ISM.py +++ b/ISM_catalog_profile/scripts/ISM/ISM.py @@ -73,13 +73,18 @@ def __init__(self): def fetch_ism(self, url): """Fetch an Australian government ISM and covert to a dict.""" logger.debug('Fetching ISM from: ' + url) - request_url = urllib.request.urlopen(url) + try: + request_url = urllib.request.urlopen(url) + except Exception as e: + logger.error(f'Error fetching url {url}: {e}') + return 1 document = request_url.read() zipfile_content = zipfile.ZipFile(io.BytesIO(document)) content_list = zipfile_content.namelist() xml_files = [x for x in content_list if '.xml' in x] assert len(xml_files) == 1 self.ism_xml = xmltodict.parse(zipfile_content.open(xml_files[0]).read()) + return 0 def _populate_control_list(self, control, raw_id): """Populate control lists based on a dict from the xml version of the ISM.""" @@ -240,7 +245,8 @@ def _run(self, args): logger.info(ism_file) url = ism_file['version_url'] ism_manager = ISMManager() - ism_manager.fetch_ism(url) + if ism_manager.fetch_ism(url): + continue revision_date = ism_file['version_name'].split() revision_string = revision_date[0] + '_' + revision_date[1] logger.info(f'Revision date: {revision_date}') diff --git a/ISM_catalog_profile/scripts/ISM/README.md b/ISM_catalog_profile/scripts/ISM/README.md index a2e1117..c648359 100644 --- a/ISM_catalog_profile/scripts/ISM/README.md +++ b/ISM_catalog_profile/scripts/ISM/README.md @@ -7,3 +7,5 @@ This demo is not official and has not been endorsed in any way by the Australian ## Running this demo - From the root directory of the repository run `python scripts/ISM/ISM.py` + +- This demo relies on trestle version 1.0.x diff --git a/README.md b/README.md index 794b588..bbce0e9 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ This project captures a number of demos, and sample set of content for [compliance-trestle](https://ibm.github.io/compliance-trestle). Each of the folders in the top level of this project is a self contained demonstration. +These demos are designed to work with trestle version 1.0.x + ## Using / management of this repository This project follows the same methodologies as within the main trestle project in terms of [contributing and developer setup](https://ibm.github.io/compliance-trestle/contributing/mkdocs_contributing/). Please submit [issues here](https://github.com/IBM/compliance-trestle/issues/new/choose) relating to this project. diff --git a/ssp_author_demo/README.md b/ssp_author_demo/README.md index a3b5d1e..dde82eb 100644 --- a/ssp_author_demo/README.md +++ b/ssp_author_demo/README.md @@ -4,9 +4,10 @@ This demonstration of \[compliance-trestle\]((https://ibm.github.io/compliance-t The trestle project has been setup with a catalog and profile from NIST using 800-53. This was used to generate the markdown directory. -SSP generate is used to generate the markdown files based on the combination of a profile and a single catalog. [Multi-stage profile resolution](https://github.com/IBM/compliance-trestle/issues/648) is a work in progress. +SSP generate is used to generate the markdown files from a profile and its imported catalogs and profiles. Prompts are provided in the markdown for +each control where an implementation response is required, corresponding to parts in the control statement. -The pro +This demo requires trestle version 1.0.x ## Steps to recreate setup @@ -18,7 +19,7 @@ The pro - The catalog will be inserted within `./catalogs/800-53/` - The [NIST 800-53 LOW profile](https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile.json) was imported with trestle import -f {path to profile} -o 800-53-low\` - The profiles will be inserted within `./profiles/800-53-low/` -- The profile is updated such that it refers to the catalog by the catalog name (e.g. `800-53.json`) [note see upcoming changes](https://github.com/IBM/compliance-trestle/issues/557) +- The profile is updated so the import href points within the trestle project to `trestle://catalogs/800-53/catalog.json` ### Inserting parameters @@ -36,10 +37,13 @@ Profiles from NIST do not insert parameter values by default so the profile need - `trestle author ssp-generate -p 800-53-low --output test_system -s 'guidance:Control Guidance'` - `--output` puts the markdown directory tree into `./test_system` - `-s` maps named parts names to sections in catalog to the markdown document -- Content is edited by end users (in this case ac-1 part a) +- Content for the implemented requirements can now be entered into the markdown for controls ### Creating the OSCAL catalog - Run - `trestle author ssp-assemble -m test_system -o acme-test-system` - The ssp will be generated in `./system-security-plans/acme-test-system` +- The generated json OSCAL document will be a valid system-security-plan with the implemented requirements incorporated for the controls. +- The requirements are provided "by componenent" and in this demo there is only one default component: "This System". In general + there can be more than one component. diff --git a/ssp_author_demo/profiles/800-53-low/profile.json b/ssp_author_demo/profiles/800-53-low/profile.json index 8922c3e..6d4abc6 100644 --- a/ssp_author_demo/profiles/800-53-low/profile.json +++ b/ssp_author_demo/profiles/800-53-low/profile.json @@ -56,7 +56,7 @@ }, "imports": [ { - "href": "800-53.json", + "href": "trestle://catalogs/800-53/catalog.json", "include-controls": [ { "with-ids": [ diff --git a/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json b/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json index aa5a7cc..d2b8d05 100644 --- a/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json +++ b/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json @@ -1,11 +1,11 @@ { "system-security-plan": { - "uuid": "200a9aaf-06f3-4885-a948-8b54f8dd1c0e", + "uuid": "f4337ba4-a060-49dd-a4d1-2b0cee331225", "metadata": { "title": "REPLACE_ME", - "last-modified": "2021-07-28T04:55:53.968+00:00", + "last-modified": "2022-04-28T12:26:33.922163+10:00", "version": "REPLACE_ME", - "oscal-version": "1.0.0" + "oscal-version": "1.0.2" }, "import-profile": { "href": "REPLACE_ME" @@ -51,15 +51,15 @@ "system-implementation": { "users": [ { - "uuid": "61456df7-f823-4f6b-9cdd-e151e74f4f14" + "uuid": "a2a57960-550c-4251-a8e7-cd5fbfdacc56" } ], "components": [ { - "uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", + "uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", "type": "REPLACE_ME", - "title": "REPLACE_ME", - "description": "Dummy component created by trestle", + "title": "This System", + "description": "REPLACE_ME", "status": { "state": "under-development" } @@ -70,6307 +70,5459 @@ "description": "This is the control implementation for the system.", "implemented-requirements": [ { - "uuid": "da773b37-6f14-400b-a45f-4ed51f7eb8a5", - "control-id": "sc-13", + "uuid": "fd0487cb-e477-4564-98c4-8216c934c81f", + "control-id": "ac-1", "statements": [ { - "statement-id": "sc-13_smt.a", - "uuid": "9e421da9-d88f-462e-89f7-a2d32da614b0", + "statement-id": "ac-1_smt.a", + "uuid": "5d38c470-1a1b-4714-93a5-790ea52203d1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1cf46c6e-8eb9-43c1-9ca6-41fa30b41418", - "description": "Add control implementation description here for statement sc-13_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cc5d5cf8-fbe5-4e49-8256-e100915962d5", + "description": "Add control implementation description here for item ac-1_smt.a" } ] - } - ] - }, - { - "uuid": "832366b4-6f29-47d5-a4c1-003e13b4f157", - "control-id": "sc-13", - "statements": [ + }, { - "statement-id": "sc-13_smt.b", - "uuid": "0489eabb-7f0d-4c21-959b-a08e84221e0d", + "statement-id": "ac-1_smt.b", + "uuid": "7c707396-ab90-41e1-b7bd-d61958b9819b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f611d3d2-1251-40b4-bd18-4e0201c6f690", - "description": "Add control implementation description here for statement sc-13_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4429be0b-f302-428f-92ec-abeb2c6cbf04", + "description": "Add control implementation description here for item ac-1_smt.b" } ] - } - ] - }, - { - "uuid": "1d1e3aed-f0b3-4805-8e32-71919d44b989", - "control-id": "sc-5", - "statements": [ + }, { - "statement-id": "sc-5_smt.a", - "uuid": "2543d401-2440-4393-9b09-4fc6a5252aed", + "statement-id": "ac-1_smt.c", + "uuid": "219a3238-9a2b-4f10-8ab3-73b82b61cc32", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9e18be64-3231-4491-9b29-f7d100b42c03", - "description": "Add control implementation description here for statement sc-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "186df6d1-4c95-4214-9fa6-7770f18c6e2a", + "description": "Add control implementation description here for item ac-1_smt.c" } ] } ] }, { - "uuid": "269b91fa-e2d9-49f6-966c-5f87f07bf413", - "control-id": "sc-5", + "uuid": "9b32e446-b641-4ff9-bffd-be69f5ffaa08", + "control-id": "ac-2", "statements": [ { - "statement-id": "sc-5_smt.b", - "uuid": "16a2690c-0503-4ce5-9ca7-020cc212cb54", + "statement-id": "ac-2_smt.a", + "uuid": "374be88c-f979-434a-b5c5-d6937f042738", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d78ae697-6624-48ac-bc11-6e730f0c1776", - "description": "Add control implementation description here for statement sc-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e821ae4f-b1df-4066-960c-a21ec45d3beb", + "description": "Add control implementation description here for item ac-2_smt.a" } ] - } - ] - }, - { - "uuid": "a3964e9c-d71a-476a-843d-1c2e6a45492a", - "control-id": "sc-1", - "statements": [ + }, { - "statement-id": "sc-1_smt.a", - "uuid": "07700094-bd2b-4b3a-826d-42aed4a5fde0", + "statement-id": "ac-2_smt.b", + "uuid": "4572c47b-9125-4c8a-8f1f-b67b10ff3ed1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "243e0bb0-e5ca-4168-a65e-b24c23d3a119", - "description": "Add control implementation description here for statement sc-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "12acffd9-9066-4628-ba1a-5c4bf48a5838", + "description": "Add control implementation description here for item ac-2_smt.b" } ] - } - ] - }, - { - "uuid": "23a1833a-0b0d-4478-8374-c7baff28a6b5", - "control-id": "sc-1", - "statements": [ + }, { - "statement-id": "sc-1_smt.b", - "uuid": "dbd0c2f0-ffe8-4d25-b9b3-99c87a57a062", + "statement-id": "ac-2_smt.c", + "uuid": "960919eb-1af9-4f19-b931-6b7f30204612", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4bc769d5-efe5-4b98-babc-67c7938e18e0", - "description": "Add control implementation description here for statement sc-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5e8ad8a7-6b20-4a16-b11d-43b8cb5f12f8", + "description": "Add control implementation description here for item ac-2_smt.c" } ] - } - ] - }, - { - "uuid": "d94a9eaf-d540-4ee0-bf47-ba1185ed8a6e", - "control-id": "sc-1", - "statements": [ + }, { - "statement-id": "sc-1_smt.c", - "uuid": "b45627df-ac9d-4df4-b74a-23efc225652c", + "statement-id": "ac-2_smt.d", + "uuid": "cb5fb121-72cc-4739-acc1-8ab34b4f3878", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5972f04d-622c-4d50-9e15-d89266f785bb", - "description": "Add control implementation description here for statement sc-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c7cdf79e-5c80-4e5f-aee2-7a439cc0886b", + "description": "Add control implementation description here for item ac-2_smt.d" } ] - } - ] - }, - { - "uuid": "6d0e5009-017f-4cd2-ae97-53b7d5edf4e1", - "control-id": "sc-20", - "statements": [ + }, { - "statement-id": "sc-20_smt.a", - "uuid": "4c2b0bae-1099-44fb-b37a-deeeee415186", + "statement-id": "ac-2_smt.e", + "uuid": "a42f54bc-6221-4b93-96f0-f1bf2b09f616", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ff7f0f52-f07d-4e1f-87d9-1ebf0e30ce3c", - "description": "Add control implementation description here for statement sc-20_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "43c77165-8f0b-4936-ab0c-fded3b9c87c0", + "description": "Add control implementation description here for item ac-2_smt.e" } ] - } - ] - }, - { - "uuid": "19e337aa-8a3a-44c4-8443-9f3a1acaacad", - "control-id": "sc-20", - "statements": [ + }, { - "statement-id": "sc-20_smt.b", - "uuid": "6446e3ca-1010-4c24-a75c-a713064b5616", + "statement-id": "ac-2_smt.f", + "uuid": "c0f54800-c49b-46df-a1d4-117f6037beca", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "79c104d4-b9ec-40a6-9c35-ee144b52d2ba", - "description": "Add control implementation description here for statement sc-20_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0ceba6da-f8c2-4106-9dec-328a21972240", + "description": "Add control implementation description here for item ac-2_smt.f" } ] - } - ] - }, - { - "uuid": "3be4a7ce-7926-429d-ac32-8c7419fcf03f", - "control-id": "sc-15", - "statements": [ + }, { - "statement-id": "sc-15_smt.a", - "uuid": "e90c31a1-9db1-46e7-8d5b-ddb4861d23c5", + "statement-id": "ac-2_smt.g", + "uuid": "3053cc78-ba8e-4ec5-8eef-69ca1e83a49a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3b2d394c-1533-4725-9c28-b6969c39cdd7", - "description": "Add control implementation description here for statement sc-15_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bc77f0f0-91a3-422e-957e-3153cd45acee", + "description": "Add control implementation description here for item ac-2_smt.g" } ] - } - ] - }, - { - "uuid": "e44fca6e-510f-4314-9add-fceff002120f", - "control-id": "sc-15", - "statements": [ + }, { - "statement-id": "sc-15_smt.b", - "uuid": "d155ffa6-e95f-49ae-9c76-ee3d756ddb5a", + "statement-id": "ac-2_smt.h", + "uuid": "022bd85a-121d-40c9-9a9d-636257865183", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8d876aa9-116a-4578-9eee-2a0ab67f1122", - "description": "Add control implementation description here for statement sc-15_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "18af1c95-9b05-4cdb-a4cb-44cfcb0ba676", + "description": "Add control implementation description here for item ac-2_smt.h" } ] - } - ] - }, - { - "uuid": "cd634833-3d31-4732-b2e8-a9735f33feb1", - "control-id": "sc-7", - "statements": [ + }, { - "statement-id": "sc-7_smt.a", - "uuid": "a3fdb3ff-175b-430d-9711-7b13440b2be8", + "statement-id": "ac-2_smt.i", + "uuid": "42f0c9f1-dff0-478c-b9be-ce76966b8090", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4f2d79e4-f13a-4da9-b42f-e288441cd361", - "description": "Add control implementation description here for statement sc-7_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "281e9ed2-1e81-4882-9db1-c8292233e679", + "description": "Add control implementation description here for item ac-2_smt.i" } ] - } - ] - }, - { - "uuid": "4f0383b4-31b6-4d20-be9b-e0645d372d45", - "control-id": "sc-7", - "statements": [ + }, { - "statement-id": "sc-7_smt.b", - "uuid": "5d4ee9fd-cf3d-4961-ad48-346b18397cbb", + "statement-id": "ac-2_smt.j", + "uuid": "93fd111f-2595-4ffc-bde5-d975483b02d8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5210f09c-c493-4ba3-bfc7-4ff4c76483ca", - "description": "Add control implementation description here for statement sc-7_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "608ee90a-1d33-44e8-b9ac-de18a2fe91a9", + "description": "Add control implementation description here for item ac-2_smt.j" } ] - } - ] - }, - { - "uuid": "ed2b7f23-d156-4d47-b013-4c7f58614149", - "control-id": "sc-7", - "statements": [ + }, { - "statement-id": "sc-7_smt.c", - "uuid": "821a7790-c6aa-4e58-8db0-45c003c74107", + "statement-id": "ac-2_smt.k", + "uuid": "a8b20cfe-bd52-4de4-aba1-aac299604c07", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2d7ddebe-c05f-42e2-97ef-9aaf849886a6", - "description": "Add control implementation description here for statement sc-7_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4a3592de-90ad-4baf-9beb-d128351cbf5a", + "description": "Add control implementation description here for item ac-2_smt.k" } ] - } - ] - }, - { - "uuid": "a257f678-4b06-4ce2-bbd3-e650cf65b1a7", - "control-id": "pl-2", - "statements": [ + }, { - "statement-id": "pl-2_smt.a", - "uuid": "ae97ba83-cd85-4d57-97f9-1d643e14ec11", + "statement-id": "ac-2_smt.l", + "uuid": "54dbf934-5a2c-477a-bde0-24ee3f740f27", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b6ee1511-7b50-4832-8a41-967a79bf9b77", - "description": "Add control implementation description here for statement pl-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c6864a4e-f2d8-4af5-a5bc-2ea0c5a842b7", + "description": "Add control implementation description here for item ac-2_smt.l" } ] } ] }, { - "uuid": "21af46fd-17af-4f45-a742-b614b8c38c26", - "control-id": "pl-2", + "uuid": "59666390-6303-4372-b1a4-4761116eb93b", + "control-id": "ac-3", "statements": [ { - "statement-id": "pl-2_smt.b", - "uuid": "cf7c8ffc-dd8a-40e2-9004-c38e171889ac", + "statement-id": "ac-3_smt", + "uuid": "3422287c-ce1d-4afe-896e-2a37515f63cb", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7d81a505-b74e-4bb4-92a4-d85505270345", - "description": "Add control implementation description here for statement pl-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c12e16e8-0564-4769-99fe-fd04413ceeca", + "description": "Add control implementation description here for control ac-3" } ] } ] }, { - "uuid": "772790f8-8346-492c-980f-691036c07733", - "control-id": "pl-2", + "uuid": "94459171-ac99-4a8e-a5dc-152a6305ec29", + "control-id": "ac-7", "statements": [ { - "statement-id": "pl-2_smt.c", - "uuid": "1deb614f-fd8f-4666-be69-0c7f4a9a6308", + "statement-id": "ac-7_smt.a", + "uuid": "3757cbe8-e5ab-45e0-9f63-e1bea3e7e367", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "deea1c5f-5897-41bf-97d2-4d7b2dea921d", - "description": "Add control implementation description here for statement pl-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "58a47c30-8544-4ff5-bd9f-6be6d1da92c1", + "description": "Add control implementation description here for item ac-7_smt.a" } ] - } - ] - }, - { - "uuid": "1fbb1a8e-080f-44f1-8783-bc34b34d0835", - "control-id": "pl-2", - "statements": [ + }, { - "statement-id": "pl-2_smt.d", - "uuid": "1f110215-e60b-4864-87de-ad572734a580", + "statement-id": "ac-7_smt.b", + "uuid": "c31e1995-0dbb-4d56-a43d-1565c53907c4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e95f01f0-acd4-4993-94b6-3b299232f3e9", - "description": "Add control implementation description here for statement pl-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "44b21980-6879-415b-9290-9bcfb4dd1511", + "description": "Add control implementation description here for item ac-7_smt.b" } ] } ] }, { - "uuid": "1d742686-2342-4bf4-9d64-d062b86298dc", - "control-id": "pl-2", + "uuid": "653a2eda-d25d-4065-9c60-63194cc05eee", + "control-id": "ac-8", "statements": [ { - "statement-id": "pl-2_smt.e", - "uuid": "dd2f13f6-2742-4ba2-a1cd-76e50b39947c", + "statement-id": "ac-8_smt.a", + "uuid": "248da9c9-9a23-4682-8d0e-11f7a6c4cfa8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "83f0b915-440c-4d43-9b68-3678e9ed2dc3", - "description": "Add control implementation description here for statement pl-2_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "886d9d11-4638-499b-8e95-8d82ce839f68", + "description": "Add control implementation description here for item ac-8_smt.a" } ] - } - ] - }, - { - "uuid": "18cc3463-4520-40a1-a877-fd494171339c", - "control-id": "pl-4.1", - "statements": [ + }, { - "statement-id": "pl-4.1_smt.a", - "uuid": "61a04efa-adb4-4bca-9c00-097c81bfc903", + "statement-id": "ac-8_smt.b", + "uuid": "47bc59c7-b002-4c3f-bcb6-c1c3a3f4a3fd", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "931d93ba-9784-4af3-a487-37a206ab9a40", - "description": "Add control implementation description here for statement pl-4.1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "96ab5b6b-b0a3-43f9-93fc-f3c13cc18af0", + "description": "Add control implementation description here for item ac-8_smt.b" } ] - } - ] - }, - { - "uuid": "8debc398-c517-44bd-92b1-4734a5f387e4", - "control-id": "pl-4.1", - "statements": [ + }, { - "statement-id": "pl-4.1_smt.b", - "uuid": "e45ff096-21db-4e35-a494-41bf15139b97", + "statement-id": "ac-8_smt.c", + "uuid": "489424fb-47bd-425d-80cc-60e365ea5a37", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "21601aef-a3c0-4f4b-9c47-514c1ec83d9b", - "description": "Add control implementation description here for statement pl-4.1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "16336970-6e3b-4dec-b64a-9c6f73f23649", + "description": "Add control implementation description here for item ac-8_smt.c" } ] } ] }, { - "uuid": "9a2d8cc9-eb7f-48f3-86da-a4dfe32a1d9a", - "control-id": "pl-4.1", + "uuid": "4349a920-285a-4e8b-888c-ee3d297b324f", + "control-id": "ac-14", "statements": [ { - "statement-id": "pl-4.1_smt.c", - "uuid": "4bd18f9f-37d8-40ae-bb13-86cebcfbac80", + "statement-id": "ac-14_smt.a", + "uuid": "23e732a6-884c-49e7-9296-8ad84edefc40", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3f65ce63-cdb1-4b45-9740-e666fd8c046f", - "description": "Add control implementation description here for statement pl-4.1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "51bac606-2de2-48cc-bb9a-db68a9040850", + "description": "Add control implementation description here for item ac-14_smt.a" } ] - } - ] - }, - { - "uuid": "7c1cdb7a-36e3-483d-9b36-39cc12e7fb57", - "control-id": "pl-1", - "statements": [ + }, { - "statement-id": "pl-1_smt.a", - "uuid": "9c556d81-abc6-41f9-9522-0f2f3d7581fc", + "statement-id": "ac-14_smt.b", + "uuid": "39806464-21cd-46f2-beb6-0c68fed8f76c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0769aac8-2cc1-436a-8501-434d1f1bb820", - "description": "Add control implementation description here for statement pl-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dcc4a475-98bd-475a-9f06-b847d7acbf21", + "description": "Add control implementation description here for item ac-14_smt.b" } ] } ] }, { - "uuid": "b7fe9d05-0351-4363-9490-67fcae20e92d", - "control-id": "pl-1", + "uuid": "d622754b-ad69-4382-866e-caecc1efb4cb", + "control-id": "ac-17", "statements": [ { - "statement-id": "pl-1_smt.b", - "uuid": "58515155-9b9a-4acd-b842-f13043f85d42", + "statement-id": "ac-17_smt.a", + "uuid": "23b4fddc-7bd3-4d7d-beaa-55f0ef7c9973", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "663f999c-7dec-4599-9a2a-1632e81a4480", - "description": "Add control implementation description here for statement pl-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6848fd22-3838-497d-948d-676f8f514d55", + "description": "Add control implementation description here for item ac-17_smt.a" } ] - } - ] - }, - { - "uuid": "43a0537c-f58e-4261-a34f-be168c1dc01d", - "control-id": "pl-1", - "statements": [ + }, { - "statement-id": "pl-1_smt.c", - "uuid": "eb965a63-c4b9-434a-8f39-b773fba89bd3", + "statement-id": "ac-17_smt.b", + "uuid": "38d54880-000c-4203-b5c8-e81756a596d5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c186d531-2d3b-40f4-888f-1f0d4dbce0c7", - "description": "Add control implementation description here for statement pl-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bb66593d-fdee-425c-b624-5f9608b20933", + "description": "Add control implementation description here for item ac-17_smt.b" } ] } ] }, { - "uuid": "a210a5fd-cdc6-4104-9ae8-54c197781c3b", - "control-id": "pl-4", + "uuid": "db5fb7dc-1ad5-40dc-a651-e8ee72eb2f4e", + "control-id": "ac-18", "statements": [ { - "statement-id": "pl-4_smt.a", - "uuid": "ca12707f-9c78-4c93-a42d-938e9706c56a", + "statement-id": "ac-18_smt.a", + "uuid": "4aa87a8f-2654-4ec2-84a8-bd5a0fbcb89d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "420f05fc-2b52-46e8-9b46-9839be6bbd87", - "description": "Add control implementation description here for statement pl-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2a0815b2-e161-40dc-8614-819c83c9edef", + "description": "Add control implementation description here for item ac-18_smt.a" } ] - } - ] - }, - { - "uuid": "0948e292-4aec-4684-8120-80d574fbb576", - "control-id": "pl-4", - "statements": [ + }, { - "statement-id": "pl-4_smt.b", - "uuid": "06b610a0-3205-4eb1-a723-9bce78ef82eb", + "statement-id": "ac-18_smt.b", + "uuid": "9fc87752-c324-4de0-989e-5b741e4f7d26", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c38d29b0-94c0-48ee-b6d0-550fc7a775e5", - "description": "Add control implementation description here for statement pl-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e1b18452-a2a9-4f21-b11f-7e41db6cf406", + "description": "Add control implementation description here for item ac-18_smt.b" } ] } ] }, { - "uuid": "1465aedb-5e2e-4efe-970d-29ff69d2e33a", - "control-id": "pl-4", + "uuid": "3e0c71bb-0dd0-427d-a2ad-bd2523c6eb24", + "control-id": "ac-19", "statements": [ { - "statement-id": "pl-4_smt.c", - "uuid": "2a742a1a-3ff0-4cc4-a85a-df2ff74e7ef9", + "statement-id": "ac-19_smt.a", + "uuid": "17e03628-2e04-42b1-a4a8-45c0f910b564", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e867f09b-77a0-4f3d-8b26-c9685d3a25a5", - "description": "Add control implementation description here for statement pl-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c92bff8f-9793-428d-ac11-0218ca80c0ca", + "description": "Add control implementation description here for item ac-19_smt.a" } ] - } - ] - }, - { - "uuid": "d3cc932b-2cd0-41a3-a379-bcb1953e3122", - "control-id": "pl-4", - "statements": [ + }, { - "statement-id": "pl-4_smt.d", - "uuid": "82b3b84d-b3a5-4ad5-8c4d-24d0a2260ad5", + "statement-id": "ac-19_smt.b", + "uuid": "5a8d92cc-73e1-48a1-8cac-5f84f5b9a1ca", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "aa77bc31-c75c-49fe-a52c-f30b35aafe6b", - "description": "Add control implementation description here for statement pl-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "72539ca0-20d4-46b1-ae0a-e36611f30ab8", + "description": "Add control implementation description here for item ac-19_smt.b" } ] } ] }, { - "uuid": "d737825a-f91c-477e-9c73-284710683d78", - "control-id": "pe-14", + "uuid": "b91bbc8c-0655-4e62-8c66-3635588487fb", + "control-id": "ac-20", "statements": [ { - "statement-id": "pe-14_smt.a", - "uuid": "a7662bae-91de-4886-9c1f-bcf6024a5557", + "statement-id": "ac-20_smt.a", + "uuid": "b66f2fbd-5774-45b9-a79f-b84a69c395d1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bf913d01-85c8-4228-98bc-6bc5867f6bcd", - "description": "Add control implementation description here for statement pe-14_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5e8c4ca4-c2bc-4f0e-a19b-76e03cd52641", + "description": "Add control implementation description here for item ac-20_smt.a" } ] - } - ] - }, - { - "uuid": "b0342bee-0457-4947-9126-997435dda027", - "control-id": "pe-14", - "statements": [ + }, { - "statement-id": "pe-14_smt.b", - "uuid": "12d620c3-f14b-4e72-94ff-37b9378c4e1d", + "statement-id": "ac-20_smt.b", + "uuid": "f4f78566-d742-4233-9048-4cd051449ac5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7a79595a-783d-45ed-8e09-ae9eec5500c2", - "description": "Add control implementation description here for statement pe-14_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "71f350a0-e23d-461b-b861-4b6d40c8831e", + "description": "Add control implementation description here for item ac-20_smt.b" } ] } ] }, { - "uuid": "5ddda719-a157-4a70-9be0-236bc190b949", - "control-id": "pe-1", + "uuid": "f46803ad-96a2-44c6-acd4-3023a565c55e", + "control-id": "ac-22", "statements": [ { - "statement-id": "pe-1_smt.a", - "uuid": "78171f55-8812-4cc5-b153-65a14cae69d9", + "statement-id": "ac-22_smt.a", + "uuid": "53672918-a0ee-4d05-af6b-b736f315a33c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9ae4ca18-f6cb-49af-83b7-6b2c63107ed5", - "description": "Add control implementation description here for statement pe-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "27dacd8a-b322-41ad-b0a3-50eb55098033", + "description": "Add control implementation description here for item ac-22_smt.a" } ] - } - ] - }, - { - "uuid": "001316e1-7d2e-4576-a1a7-289084a711f1", - "control-id": "pe-1", - "statements": [ + }, { - "statement-id": "pe-1_smt.b", - "uuid": "0d3b72c0-dad1-4ad5-b99b-ad6079e25e35", + "statement-id": "ac-22_smt.b", + "uuid": "a4e1a61c-b2d8-437f-a10f-1dbd27ec4eb5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3e125602-881e-483e-ae6a-ef2008aced7b", - "description": "Add control implementation description here for statement pe-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c43e13b5-4fce-4423-8a39-bb485700bb44", + "description": "Add control implementation description here for item ac-22_smt.b" } ] - } - ] - }, - { - "uuid": "1e6177c6-aa43-46c9-acd4-f8be5938a072", - "control-id": "pe-1", - "statements": [ + }, { - "statement-id": "pe-1_smt.c", - "uuid": "1681b855-a81b-462b-b418-ab408cf24b10", + "statement-id": "ac-22_smt.c", + "uuid": "8c3a71df-84d0-4293-8d7f-e95442814dd0", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1829b46f-508f-47c1-b628-2be54a530e9d", + "description": "Add control implementation description here for item ac-22_smt.c" + } + ] + }, + { + "statement-id": "ac-22_smt.d", + "uuid": "322f88e2-02a0-4622-9f20-efe53d25eb90", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "24859d22-a3e4-44ac-9713-2811736320b5", - "description": "Add control implementation description here for statement pe-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1432de64-7b57-466c-8408-3acc226db27e", + "description": "Add control implementation description here for item ac-22_smt.d" } ] } ] }, { - "uuid": "5009c55b-5a8f-4c14-bbd7-ebc63561177b", - "control-id": "pe-2", + "uuid": "11f739f7-82a2-420d-8767-f2d7fe0ceb9e", + "control-id": "at-1", "statements": [ { - "statement-id": "pe-2_smt.a", - "uuid": "e83fc581-9c11-43f7-8b21-de532a9b8384", + "statement-id": "at-1_smt.a", + "uuid": "0d4b9fb2-9301-41e8-b67d-4c97e3e10a29", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9240a693-b702-46c5-ac8a-37794f37ae8f", - "description": "Add control implementation description here for statement pe-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8e1c1135-c20b-4ec6-a3d2-d97745079b78", + "description": "Add control implementation description here for item at-1_smt.a" } ] - } - ] - }, - { - "uuid": "5882efb4-132f-47f2-92ab-b07d66767474", - "control-id": "pe-2", - "statements": [ + }, { - "statement-id": "pe-2_smt.b", - "uuid": "8aafadc7-14cd-4e58-9227-b2fd49a7bb36", + "statement-id": "at-1_smt.b", + "uuid": "40d49a19-6a5b-410b-a0a4-06d14c412864", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "90bd2a7a-f661-43c5-864d-466ce073394f", - "description": "Add control implementation description here for statement pe-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "369957f3-b5c6-4160-8c76-fd9387a78fc9", + "description": "Add control implementation description here for item at-1_smt.b" } ] - } - ] - }, - { - "uuid": "def203e1-3b9b-41f5-bafc-43977fbbbbc7", - "control-id": "pe-2", - "statements": [ + }, { - "statement-id": "pe-2_smt.c", - "uuid": "85fb3339-3296-4d41-ac7a-ce45e2c066d2", + "statement-id": "at-1_smt.c", + "uuid": "2de41d77-0631-47c1-9f2c-3451e7862cfe", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "eb06ab06-891a-41f6-9156-3ddfe415d400", - "description": "Add control implementation description here for statement pe-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "eb47fe43-13b4-4ac9-9489-ad65cd8722d2", + "description": "Add control implementation description here for item at-1_smt.c" } ] } ] }, { - "uuid": "469a7e1e-b2fd-412a-a5e1-e53c417d6c8f", - "control-id": "pe-2", + "uuid": "d38f695c-5646-4268-93c8-72ce0fd8cc5d", + "control-id": "at-2", "statements": [ { - "statement-id": "pe-2_smt.d", - "uuid": "ed7a4472-354d-48be-aa7b-6ece9f157397", + "statement-id": "at-2_smt.a", + "uuid": "92e80039-a3c9-4457-a986-39d7d2066193", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "00bdb5cf-d978-4f64-ba93-fb1183ca7561", - "description": "Add control implementation description here for statement pe-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b0a48bdb-437c-4feb-8abd-9fa355e70218", + "description": "Add control implementation description here for item at-2_smt.a" } ] - } - ] - }, - { - "uuid": "da5fdbb5-2738-4661-bf3d-694a08cd607d", - "control-id": "pe-6", - "statements": [ + }, { - "statement-id": "pe-6_smt.a", - "uuid": "60a22235-cfaa-4c4d-a2e7-f4b6da62ce87", + "statement-id": "at-2_smt.b", + "uuid": "7495ab8e-8156-4320-a28f-26e8ccb5512a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0ced9772-4e8d-4830-80ba-076d5b95b772", - "description": "Add control implementation description here for statement pe-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d9787cd5-4b0e-4a44-b47d-0b4544461f16", + "description": "Add control implementation description here for item at-2_smt.b" } ] - } - ] - }, - { - "uuid": "797150a7-1cc2-46b3-91be-90bbaa08cb55", - "control-id": "pe-6", - "statements": [ + }, { - "statement-id": "pe-6_smt.b", - "uuid": "30fff399-e45a-4158-9a1a-c0e496525cf3", + "statement-id": "at-2_smt.c", + "uuid": "bec89f24-7590-4d2b-b1af-93768fbe0b53", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ce1d0b98-22e3-46be-b698-a31337923e94", - "description": "Add control implementation description here for statement pe-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5d4da844-129b-49b4-9099-b96ff0bf7c77", + "description": "Add control implementation description here for item at-2_smt.c" } ] - } - ] - }, - { - "uuid": "7317760c-cdef-43c5-8f6a-cf7fe5c37edf", - "control-id": "pe-6", - "statements": [ + }, { - "statement-id": "pe-6_smt.c", - "uuid": "ddada319-7858-43c2-926e-a2ac0df00b98", + "statement-id": "at-2_smt.d", + "uuid": "818de687-4742-4255-8afd-5fb2fb27187e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ec7c21e4-1925-4d00-a63d-6192f0317563", - "description": "Add control implementation description here for statement pe-6_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "909b9318-9231-46ea-8d8f-8e5deffbb1a3", + "description": "Add control implementation description here for item at-2_smt.d" } ] } ] }, { - "uuid": "dbb09cd5-0588-4470-bab1-9a351daf6054", - "control-id": "pe-3", + "uuid": "37986b13-7ecc-4274-82e4-e1b015815521", + "control-id": "at-2.2", "statements": [ { - "statement-id": "pe-3_smt.a", - "uuid": "27ec298e-fdb5-41f5-989a-136531172acf", + "statement-id": "at-2.2_smt", + "uuid": "d3f13f44-3897-411f-b328-e050be49862a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bf0da3a8-0a94-4591-b946-0bef3cba3b16", - "description": "Add control implementation description here for statement pe-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bc0b8c36-4e75-4a79-963f-fa98d756610b", + "description": "Add control implementation description here for control at-2.2" } ] } ] }, { - "uuid": "f245be95-8457-432c-9270-2235023cb721", - "control-id": "pe-3", + "uuid": "9e9d6542-5b3a-44cb-953f-0133dbca50d9", + "control-id": "at-3", "statements": [ { - "statement-id": "pe-3_smt.b", - "uuid": "fc43df6e-b287-455c-887b-7d898815ad52", + "statement-id": "at-3_smt.a", + "uuid": "d79aea87-8554-4360-8d45-361b32d347b7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f3f0a2dd-da63-40ca-90bb-f8df2f3fe826", - "description": "Add control implementation description here for statement pe-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5017b39a-e94f-4b31-be97-ce52f364226e", + "description": "Add control implementation description here for item at-3_smt.a" } ] - } - ] - }, - { - "uuid": "21a91d37-68cb-4df5-bfe5-b97a90973fdb", - "control-id": "pe-3", - "statements": [ + }, { - "statement-id": "pe-3_smt.c", - "uuid": "ad1e8445-8a10-4bd9-a0a3-88d99a82a3eb", + "statement-id": "at-3_smt.b", + "uuid": "c383a808-c4cc-47d1-8a7c-cf96b864b176", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f672efa5-1c9d-46f6-93c0-e93acaa8cd57", - "description": "Add control implementation description here for statement pe-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "72f21215-84d6-45a6-b56f-6eaf64c8cdc2", + "description": "Add control implementation description here for item at-3_smt.b" } ] - } - ] - }, - { - "uuid": "f76947d9-8cd1-4f7b-9aeb-61030e18dd8c", - "control-id": "pe-3", - "statements": [ + }, { - "statement-id": "pe-3_smt.d", - "uuid": "c207cb46-0c21-4f08-8260-d202d63d0033", + "statement-id": "at-3_smt.c", + "uuid": "91b487df-e70c-4f93-982a-8191f5ace83b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c48a768c-58c4-434f-9071-b777a1d8e573", - "description": "Add control implementation description here for statement pe-3_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d1b76975-d3c2-4c26-a65a-80a06d807e28", + "description": "Add control implementation description here for item at-3_smt.c" } ] } ] }, { - "uuid": "53a710b5-1fc6-4e1a-93d4-4a7c77528c34", - "control-id": "pe-3", + "uuid": "59c9465c-91a7-4953-a481-536fcf98ae83", + "control-id": "at-4", "statements": [ { - "statement-id": "pe-3_smt.e", - "uuid": "9aa3d85c-c8aa-4782-a0f6-c7edda0a3b51", + "statement-id": "at-4_smt.a", + "uuid": "2b209147-6788-45d0-87c7-3545faaac44b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "33ae3979-ee4c-48fd-ba86-68f6f9551fcc", - "description": "Add control implementation description here for statement pe-3_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2d41493b-a62b-49dc-9c55-a5de6dd81155", + "description": "Add control implementation description here for item at-4_smt.a" } ] - } - ] - }, - { - "uuid": "b10c9236-cbc1-4ddb-b08c-afd0feb90e2e", - "control-id": "pe-3", - "statements": [ + }, { - "statement-id": "pe-3_smt.f", - "uuid": "bc86a00e-96c9-4994-a31d-c11b82b25803", + "statement-id": "at-4_smt.b", + "uuid": "ed207fdf-9b5b-4be5-a98c-578b709e46d5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "48b59ab9-b176-4df6-aae5-d2c3d5b579dd", - "description": "Add control implementation description here for statement pe-3_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "896ee6b2-7234-4242-a9b8-84cd4da5c1c7", + "description": "Add control implementation description here for item at-4_smt.b" } ] } ] }, { - "uuid": "ddb2e877-9c7b-46a0-a9e5-d4f8bbbb8d5f", - "control-id": "pe-3", + "uuid": "16c874b4-cfd7-46e1-abfd-41e190cc2e0c", + "control-id": "au-1", "statements": [ { - "statement-id": "pe-3_smt.g", - "uuid": "3073e694-e232-4627-86e3-fe62a9e902bf", + "statement-id": "au-1_smt.a", + "uuid": "a35aabaf-ed71-4394-932c-657f18507d61", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8b0856ca-550d-4463-b7ae-e6ac65e91767", - "description": "Add control implementation description here for statement pe-3_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "50014d8e-88c7-4cd2-816c-10a2082d0551", + "description": "Add control implementation description here for item au-1_smt.a" } ] - } - ] - }, - { - "uuid": "88fd6b89-b896-485e-a08c-a17ef4743c4a", - "control-id": "pe-8", - "statements": [ + }, { - "statement-id": "pe-8_smt.a", - "uuid": "084e72a3-ab5f-4598-afa1-e0287a60594b", + "statement-id": "au-1_smt.b", + "uuid": "b0f9f0ef-bd31-4360-bebc-92e956d58f88", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "848e64d0-8ff0-450a-b1d6-4c9866219bb8", - "description": "Add control implementation description here for statement pe-8_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5ea83801-e958-48e1-9fba-ee7dd081bd7e", + "description": "Add control implementation description here for item au-1_smt.b" } ] - } - ] - }, - { - "uuid": "f99181b8-d8a7-4fa4-9347-b20571b359d4", - "control-id": "pe-8", - "statements": [ + }, { - "statement-id": "pe-8_smt.b", - "uuid": "a63451ca-f706-4dc6-bd9f-c6409c0c2cc8", + "statement-id": "au-1_smt.c", + "uuid": "68797bc3-b653-4f18-8ef4-853152fea24b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e9b4a444-604e-4052-a3aa-2b8f8ba8ace2", - "description": "Add control implementation description here for statement pe-8_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cd9a9d65-b298-48d2-9418-8a9091fc5d4d", + "description": "Add control implementation description here for item au-1_smt.c" } ] } ] }, { - "uuid": "c03509b7-815e-48dc-9cd7-08196eaeb1be", - "control-id": "pe-8", + "uuid": "2f79ab39-e983-4aaf-a5d8-985679f6996d", + "control-id": "au-2", "statements": [ { - "statement-id": "pe-8_smt.c", - "uuid": "1c65757b-d61e-4453-999a-f0509f8e3c53", + "statement-id": "au-2_smt.a", + "uuid": "d1de0269-29cb-489f-8c96-f5dd8c6ce2d7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "57d49483-25a9-4684-9fb4-0e461bc3ddbe", - "description": "Add control implementation description here for statement pe-8_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cc086b23-93b8-4e25-ac07-17f8d5166dd8", + "description": "Add control implementation description here for item au-2_smt.a" } ] - } - ] - }, - { - "uuid": "5304fd91-899e-4a54-a705-2b9bab7eac00", - "control-id": "pe-16", - "statements": [ + }, { - "statement-id": "pe-16_smt.a", - "uuid": "7ca7056b-9455-4d2c-946d-2f6e65e9798c", + "statement-id": "au-2_smt.b", + "uuid": "526cbc25-163f-4c6f-b10d-faf4227cf96d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "959fa27e-b231-4d42-954e-43c784280652", - "description": "Add control implementation description here for statement pe-16_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "651a2c68-0599-4a48-be54-18b527f26468", + "description": "Add control implementation description here for item au-2_smt.b" } ] - } - ] - }, - { - "uuid": "24cf47d9-a312-4176-b81c-36cb99697604", - "control-id": "pe-16", - "statements": [ + }, { - "statement-id": "pe-16_smt.b", - "uuid": "3afa41b9-0515-4719-ab05-e8fe568c8d43", + "statement-id": "au-2_smt.c", + "uuid": "a59a46ae-3901-47c6-80fc-675272d0dcce", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0160d7cb-5dd9-4c41-a6af-f21aabf30f0e", - "description": "Add control implementation description here for statement pe-16_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0f279283-14ad-4467-be3d-3b338f9873fb", + "description": "Add control implementation description here for item au-2_smt.c" } ] - } - ] - }, - { - "uuid": "4d7ee23e-239b-4efc-b310-0ff1f9989d74", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.a", - "uuid": "ce0d936e-8188-4e54-91fc-2e1c1dfed1cc", + "statement-id": "au-2_smt.d", + "uuid": "3fc888c8-9070-464f-bfff-a64d0978d841", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a7e8fa57-b16e-4998-a0ec-29faec331d51", - "description": "Add control implementation description here for statement ac-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9c54f878-f3a7-4a74-b064-8302f00f4fbc", + "description": "Add control implementation description here for item au-2_smt.d" } ] - } - ] - }, - { - "uuid": "9e2f3ac9-dcaf-45d9-8804-4609af61c0d6", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.b", - "uuid": "07417886-3db7-40da-83f2-f00f628e9f41", + "statement-id": "au-2_smt.e", + "uuid": "71dc1b49-f58a-4a4c-ae6f-40fbb51eafce", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1601f73a-bafd-4d87-b185-d98c13b803c6", - "description": "Add control implementation description here for statement ac-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ec265456-fec6-4c57-9873-34e11004e84e", + "description": "Add control implementation description here for item au-2_smt.e" } ] } ] }, { - "uuid": "aeed7fc7-80c1-4c44-9b38-63bdb51c99ea", - "control-id": "ac-2", + "uuid": "86d4be20-2b22-4662-bdf0-94780f5fac60", + "control-id": "au-3", "statements": [ { - "statement-id": "ac-2_smt.c", - "uuid": "7dae611b-2c73-49ac-b380-4472426a72b0", + "statement-id": "au-3_smt.a", + "uuid": "66f8de95-1b00-427e-8b52-3eeaa76a33d3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "515489bb-87f5-45f1-bd9b-25adcbb065ee", - "description": "Add control implementation description here for statement ac-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8988b560-52c4-469e-8979-faf21daec71d", + "description": "Add control implementation description here for item au-3_smt.a" } ] - } - ] - }, - { - "uuid": "19b2f77c-0343-4c07-a17d-c597af4ef4d1", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.d", - "uuid": "ebff2aab-05b4-48ba-89d1-e6cb6f7c03c7", + "statement-id": "au-3_smt.b", + "uuid": "6e52d8c1-15b2-49c3-bf00-6f3837d176d3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "10200db5-cc3e-46bd-9c65-0688e04006cb", - "description": "Add control implementation description here for statement ac-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "46a1da96-16f2-4d7b-8476-20e4326e7b98", + "description": "Add control implementation description here for item au-3_smt.b" } ] - } - ] - }, - { - "uuid": "e5b2b00d-a69d-414d-99f9-9bfb2b2e8aeb", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.e", - "uuid": "9578011a-fb74-402d-a849-2ed526113263", + "statement-id": "au-3_smt.c", + "uuid": "b52b39d5-bb0c-45e3-aa71-134281f829b9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "08126668-fbc3-4475-bf39-6f9933ad9768", - "description": "Add control implementation description here for statement ac-2_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "72d26026-79f8-44c5-9aa2-a44cc8c9641e", + "description": "Add control implementation description here for item au-3_smt.c" } ] - } - ] - }, - { - "uuid": "76b1be00-c521-4600-9499-c405c6e79c85", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.f", - "uuid": "da4f1b13-1be0-4672-9dfd-31c3dbb6cf01", + "statement-id": "au-3_smt.d", + "uuid": "ffd0129d-5ed8-40d0-9c1f-fe73e8d8c9d9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b9513843-9d23-460d-9eb8-7d94546816a3", - "description": "Add control implementation description here for statement ac-2_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "777f6931-f67b-42c7-a35d-7767d87a94d9", + "description": "Add control implementation description here for item au-3_smt.d" } ] - } - ] - }, - { - "uuid": "0bd88027-8534-49b9-8836-2f92fdf77fcd", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.g", - "uuid": "bd3f4209-5c09-44b7-bd6a-9a43deddd2fb", + "statement-id": "au-3_smt.e", + "uuid": "7ca283a2-8b06-4aa8-8aea-1dcc9be48478", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1682db00-1a62-4a52-be10-4013a021024a", - "description": "Add control implementation description here for statement ac-2_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "49525c06-f606-4fe9-a5a6-08356ce5ab4e", + "description": "Add control implementation description here for item au-3_smt.e" } ] - } - ] - }, - { - "uuid": "9d44f4f2-fd13-4384-af42-28db6e05beaa", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.h", - "uuid": "edd0a2cb-924e-49c1-8e3f-cd8ae3d8597a", + "statement-id": "au-3_smt.f", + "uuid": "a10026f3-611d-4ea7-89eb-5d13c36e9a5a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3100fb51-8f4b-4d6a-8a84-eaca32c3f93f", - "description": "Add control implementation description here for statement ac-2_smt.h" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "07b32717-8cc0-4822-9caf-e66925548b24", + "description": "Add control implementation description here for item au-3_smt.f" } ] } ] }, { - "uuid": "75da7517-9226-45cf-b6e9-10c2de178f95", - "control-id": "ac-2", + "uuid": "0bdaa690-372b-4c38-a09f-3e674dcad413", + "control-id": "au-4", "statements": [ { - "statement-id": "ac-2_smt.i", - "uuid": "ab3660a3-3ac3-4d40-a39c-d1ba03aec938", + "statement-id": "au-4_smt", + "uuid": "fb571984-0e92-4847-b6d7-b41603405a3c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "09f036a0-7306-41de-bc47-b418029085da", - "description": "Add control implementation description here for statement ac-2_smt.i" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4d497565-0850-4fdb-82a7-dbe288e19b36", + "description": "Add control implementation description here for control au-4" } ] } ] }, { - "uuid": "3dbb6f68-d9c9-49a7-8d41-4d09215e002d", - "control-id": "ac-2", + "uuid": "c05197a8-a643-4e31-9723-e11556d6afe0", + "control-id": "au-5", "statements": [ { - "statement-id": "ac-2_smt.j", - "uuid": "e126ac6e-d5ad-44b2-bd77-0dc263b511c8", + "statement-id": "au-5_smt.a", + "uuid": "a9ea6752-4c55-4301-a104-d66e98e2baa5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b8757f3b-0c90-4e01-ad62-b790e5916771", - "description": "Add control implementation description here for statement ac-2_smt.j" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7b6e0453-9d7e-4635-9d77-5b930275491f", + "description": "Add control implementation description here for item au-5_smt.a" } ] - } - ] - }, - { - "uuid": "3562a5bd-b6e6-4c1c-b6ea-2e7c152cb772", - "control-id": "ac-2", - "statements": [ + }, { - "statement-id": "ac-2_smt.k", - "uuid": "bebe6251-9fcf-4218-a4c0-6d60cec66172", + "statement-id": "au-5_smt.b", + "uuid": "ad56331e-580d-4b83-a95b-4d70e1fcd256", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "81baa78b-2f08-4962-a880-faafa5ee98e8", - "description": "Add control implementation description here for statement ac-2_smt.k" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7a119f65-7a33-4324-b5cb-e9060740b7ed", + "description": "Add control implementation description here for item au-5_smt.b" } ] } ] }, { - "uuid": "d419a2c2-911f-464f-a798-774b87656f98", - "control-id": "ac-2", + "uuid": "690dffc8-d089-4b5c-b9fe-0f1fd77f9072", + "control-id": "au-6", "statements": [ { - "statement-id": "ac-2_smt.l", - "uuid": "8b07e210-a1f0-410c-9d14-0ac3f906a5f8", + "statement-id": "au-6_smt.a", + "uuid": "90bf4da1-7780-45cc-aafc-8b179414d1ac", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8b1f4824-0bb1-4967-80cd-20ed094d1b14", - "description": "Add control implementation description here for statement ac-2_smt.l" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "964ddef6-8cf8-4451-b2e5-6c65c673646f", + "description": "Add control implementation description here for item au-6_smt.a" } ] - } - ] - }, - { - "uuid": "bf450bc2-2bfb-47b1-89da-a20dd213c8d1", - "control-id": "ac-22", - "statements": [ + }, { - "statement-id": "ac-22_smt.a", - "uuid": "53b0ebe7-14bf-4192-a21f-4ffd319e9d48", + "statement-id": "au-6_smt.b", + "uuid": "ddc7e48e-2378-4eb6-8846-328ec01290c0", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "81c90b48-b175-404e-a092-3a1e8493ca4b", - "description": "Add control implementation description here for statement ac-22_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cd2b1e9d-f010-4b5a-ae14-248a0741c9ac", + "description": "Add control implementation description here for item au-6_smt.b" } ] - } - ] - }, - { - "uuid": "2552d98a-7c4e-4c49-934d-c809540c32a2", - "control-id": "ac-22", - "statements": [ + }, { - "statement-id": "ac-22_smt.b", - "uuid": "03838925-a044-4c6d-8fd1-ea322cabd678", + "statement-id": "au-6_smt.c", + "uuid": "ac0d9d00-6ba0-447a-a969-fc07be1b052e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0d025be8-b9e0-48d1-b66a-d16609c12c05", - "description": "Add control implementation description here for statement ac-22_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "63c9aa76-3bfe-4bb1-9d66-64037d432c61", + "description": "Add control implementation description here for item au-6_smt.c" } ] } ] }, { - "uuid": "9ec06a1e-7c11-457d-965f-809983c7a3d6", - "control-id": "ac-22", + "uuid": "40695377-7891-4411-ad2b-2b36887727ec", + "control-id": "au-8", "statements": [ { - "statement-id": "ac-22_smt.c", - "uuid": "c2899a94-c5f9-48a9-8f48-a2b13b4c83f2", + "statement-id": "au-8_smt.a", + "uuid": "4b3df300-ba75-41fa-ae0b-b8ea6e4c4405", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7bc3ce42-f092-4ab7-ac8a-b6d4d8890001", - "description": "Add control implementation description here for statement ac-22_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ac9672f6-3354-49b1-85e4-f69ea2ad30c7", + "description": "Add control implementation description here for item au-8_smt.a" } ] - } - ] - }, - { - "uuid": "b5aa6c7e-eaaf-4fae-bfb0-79188ad6c4d2", - "control-id": "ac-22", - "statements": [ + }, { - "statement-id": "ac-22_smt.d", - "uuid": "4ee1757b-c12d-411e-a4a7-dd519daeb7fe", + "statement-id": "au-8_smt.b", + "uuid": "198086d5-8d2b-4981-b81f-94a4f69d4da5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2d8b370e-e91d-4072-99ae-62be8edc319a", - "description": "Add control implementation description here for statement ac-22_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "668ca2ba-1d02-4607-b82c-907b12401811", + "description": "Add control implementation description here for item au-8_smt.b" } ] } ] }, { - "uuid": "2ecf3903-9ec3-4925-8d04-e7cd80a2eea8", - "control-id": "ac-17", + "uuid": "c5758a2c-04f5-4470-86eb-bf3bd094cef9", + "control-id": "au-9", "statements": [ { - "statement-id": "ac-17_smt.a", - "uuid": "c00cce86-9831-4465-8fc1-274d10ce66e5", + "statement-id": "au-9_smt.a", + "uuid": "b771e137-950f-4ba2-b309-b1473acaae19", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b2241870-74ae-4412-af9c-4ec8e91863b4", - "description": "Add control implementation description here for statement ac-17_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "58ced3f6-d6d4-4d43-829e-7fb3bd7e63a3", + "description": "Add control implementation description here for item au-9_smt.a" } ] - } - ] - }, - { - "uuid": "750f8783-7dec-4d33-9a7a-31e7563043f2", - "control-id": "ac-17", - "statements": [ + }, { - "statement-id": "ac-17_smt.b", - "uuid": "c205b5c1-ebaa-4282-b320-21caca46101f", + "statement-id": "au-9_smt.b", + "uuid": "3777411d-d69f-4f5c-9c89-1359616148d9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ab8bae54-172f-42f1-851e-16e2c50fc4db", - "description": "Add control implementation description here for statement ac-17_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "783474e2-2cbf-4ac1-aa14-89c227fdeee8", + "description": "Add control implementation description here for item au-9_smt.b" } ] } ] }, { - "uuid": "71ab6d4e-fd5f-4aa2-ad8b-fb114d79daac", - "control-id": "ac-7", + "uuid": "a0cfcb30-ba0e-4a0b-bc08-cca3d1bc3739", + "control-id": "au-11", "statements": [ { - "statement-id": "ac-7_smt.a", - "uuid": "0e6442ef-6e6c-4754-815a-da04c9c73d7e", + "statement-id": "au-11_smt", + "uuid": "dac3b1cd-8cda-4bca-a61e-d4d7795ef77d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bb9742cc-d0a0-4b8a-a9a8-7a427d3bc56d", - "description": "Add control implementation description here for statement ac-7_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "aebc0cf6-b04b-4793-acf1-8a5380edc50d", + "description": "Add control implementation description here for control au-11" } ] } ] }, { - "uuid": "83b0b240-fb86-4645-b0f4-b0efe44831b9", - "control-id": "ac-7", + "uuid": "335f8c2f-928b-416c-b452-280418a08fc5", + "control-id": "au-12", "statements": [ { - "statement-id": "ac-7_smt.b", - "uuid": "061ae88a-40a4-4075-97e1-fc8b2ed26386", + "statement-id": "au-12_smt.a", + "uuid": "09407beb-1f1c-43a4-bd88-e87e6a738a99", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e506671c-ebbd-49d2-b302-c20dabf31eec", - "description": "Add control implementation description here for statement ac-7_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4184f922-591c-45ff-ace6-a7d3ea2ef754", + "description": "Add control implementation description here for item au-12_smt.a" } ] - } - ] - }, - { - "uuid": "eaa378c1-37c7-452d-a673-9d02d69f1776", - "control-id": "ac-8", - "statements": [ + }, { - "statement-id": "ac-8_smt.a", - "uuid": "ab34b631-a59a-4a02-a758-9bf2c5db18e4", + "statement-id": "au-12_smt.b", + "uuid": "60f44ac9-ee48-48f1-863e-7774196a5f52", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e48fd02d-62d5-48b1-84a5-d072fdb63dc1", - "description": "Add control implementation description here for statement ac-8_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d742aa55-649c-4d9e-a426-9936c10c573c", + "description": "Add control implementation description here for item au-12_smt.b" } ] - } - ] - }, - { - "uuid": "094ccfc0-026a-4f9b-ae32-473339da1370", - "control-id": "ac-8", - "statements": [ + }, { - "statement-id": "ac-8_smt.b", - "uuid": "7b318107-8579-49ea-afb3-50c80db60765", + "statement-id": "au-12_smt.c", + "uuid": "1f82c478-a44f-43da-9e1b-59aa51d864f9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "dcf80425-e938-44a7-8a31-92753709b99c", - "description": "Add control implementation description here for statement ac-8_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "84092fc6-c598-4721-85a6-9d7304e3f7a2", + "description": "Add control implementation description here for item au-12_smt.c" } ] } ] }, { - "uuid": "9d4c35ef-1a06-4964-ab50-a60c247109bb", - "control-id": "ac-8", + "uuid": "ac14fdcf-034f-43b6-845c-5ec1cbd049e9", + "control-id": "ca-1", "statements": [ { - "statement-id": "ac-8_smt.c", - "uuid": "92d38182-67a0-4f76-a8d2-685ccd9e65fe", + "statement-id": "ca-1_smt.a", + "uuid": "071191f0-68e4-4eb5-8ae5-5015a07ab902", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "cb3b2e33-a30c-4111-aa8c-ba3526ee9109", - "description": "Add control implementation description here for statement ac-8_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1e6db02f-f2c1-4214-9116-95f2a8387f1b", + "description": "Add control implementation description here for item ca-1_smt.a" } ] - } - ] - }, - { - "uuid": "75be1bfc-c31e-4e6e-9897-ac78d0998b5d", - "control-id": "ac-18", - "statements": [ + }, { - "statement-id": "ac-18_smt.a", - "uuid": "e1648adb-0f9b-49a0-bb01-0be90fb09307", + "statement-id": "ca-1_smt.b", + "uuid": "78ea607c-1322-4b70-a9f2-ea50898450cf", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "138195d3-41cd-4eae-95b0-c2beb6ea7c55", - "description": "Add control implementation description here for statement ac-18_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "996b8e27-434a-4deb-8cef-c7093b55c188", + "description": "Add control implementation description here for item ca-1_smt.b" } ] - } - ] - }, - { - "uuid": "37a040b4-a987-4b29-aa1c-f5260d8938e9", - "control-id": "ac-18", - "statements": [ + }, { - "statement-id": "ac-18_smt.b", - "uuid": "8d8ea5f4-a516-4d4a-8e02-3f3e934e3ada", + "statement-id": "ca-1_smt.c", + "uuid": "5682a810-57bd-4a61-84a7-c4b4968a5d8d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1c6d2e13-7340-4194-b607-6ae8d6cca09b", - "description": "Add control implementation description here for statement ac-18_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "36b89a75-0628-4845-b549-94ced3660972", + "description": "Add control implementation description here for item ca-1_smt.c" } ] } ] }, { - "uuid": "a497d70d-dd74-4b85-8b88-387b41f5d1d6", - "control-id": "ac-19", + "uuid": "28ad16c4-7c35-417a-86a9-bbe0bba671ea", + "control-id": "ca-2", "statements": [ { - "statement-id": "ac-19_smt.a", - "uuid": "eeab35b0-f09e-4a0b-8889-d192aa287f04", + "statement-id": "ca-2_smt.a", + "uuid": "3dc49c8a-42c8-46ed-81bc-12426143fdee", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "073cdd3f-a499-4290-9d2b-d9d6cf0e9eaf", - "description": "Add control implementation description here for statement ac-19_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "912d7f1c-da5b-452b-9202-aff87bc051d2", + "description": "Add control implementation description here for item ca-2_smt.a" } ] - } - ] - }, - { - "uuid": "61b43abf-29fa-4b41-b1e5-ce46b5493cee", - "control-id": "ac-19", - "statements": [ + }, { - "statement-id": "ac-19_smt.b", - "uuid": "ad77b813-a656-4782-a0e8-71fd63d039a9", + "statement-id": "ca-2_smt.b", + "uuid": "e1298c6c-38be-4bbd-ab64-3f52c7fcd7b7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6553871b-7370-4b03-ac15-f4f31e44f4ac", - "description": "Add control implementation description here for statement ac-19_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "46e56a25-e515-4a8c-a599-b51313340881", + "description": "Add control implementation description here for item ca-2_smt.b" } ] - } - ] - }, - { - "uuid": "d89b6b6e-1ffa-4d8d-bcc5-aa63ae0eb494", - "control-id": "ac-14", - "statements": [ + }, { - "statement-id": "ac-14_smt.a", - "uuid": "7110bf20-cdbd-4eb9-86d8-5769a918e148", + "statement-id": "ca-2_smt.c", + "uuid": "77622175-af2b-460a-a89c-b7e860557a80", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bfb91554-17cd-4efa-8f12-c8f144ddc389", - "description": "Add control implementation description here for statement ac-14_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3f93a306-cb75-467e-9052-61a8009362fd", + "description": "Add control implementation description here for item ca-2_smt.c" } ] - } - ] - }, - { - "uuid": "62d210dd-76cf-4a12-ad6d-7589bb07aecf", - "control-id": "ac-14", - "statements": [ + }, { - "statement-id": "ac-14_smt.b", - "uuid": "02e368cd-1e3a-4ec8-be30-0cae55d24eba", + "statement-id": "ca-2_smt.d", + "uuid": "38e632e4-3a53-4b18-9e1d-1f78bc5e71a1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5d98cdad-ab54-47d7-ae84-da4a054cdce3", - "description": "Add control implementation description here for statement ac-14_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9b4de2fc-ec13-4443-abfc-11a167a08021", + "description": "Add control implementation description here for item ca-2_smt.d" + } + ] + }, + { + "statement-id": "ca-2_smt.e", + "uuid": "05b0aff8-508f-4fae-87b2-4898e3ddcb8d", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "61241915-b64d-440d-af2c-82b99a06f5ac", + "description": "Add control implementation description here for item ca-2_smt.e" + } + ] + }, + { + "statement-id": "ca-2_smt.f", + "uuid": "1ddcf14b-8013-4814-9c8b-480e6368e1cf", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d605aa3c-a141-4f67-83df-137c22c74817", + "description": "Add control implementation description here for item ca-2_smt.f" } ] } ] }, { - "uuid": "5852ad1f-72b4-4ded-8670-e86304786547", - "control-id": "ac-20", + "uuid": "f064db16-33e3-4a0b-ad80-8e10a9d34867", + "control-id": "ca-3", "statements": [ { - "statement-id": "ac-20_smt.a", - "uuid": "c0e3d242-593b-4371-aa6d-9c4084ba6a0f", + "statement-id": "ca-3_smt.a", + "uuid": "8c8ec80d-521f-4fd4-8e6c-5aac62d1b3eb", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1d2c90fe-be1c-45a8-9ae6-d547c4dce8ea", + "description": "Add control implementation description here for item ca-3_smt.a" + } + ] + }, + { + "statement-id": "ca-3_smt.b", + "uuid": "17475df7-aa9f-489f-98c7-a83ca8a743fe", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c02eec6c-0dbd-4a27-9724-a1116e6bdcb8", + "description": "Add control implementation description here for item ca-3_smt.b" + } + ] + }, + { + "statement-id": "ca-3_smt.c", + "uuid": "884942a0-a02d-451e-8b93-af9f8d591d02", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4e28516e-371c-40ed-bf67-6a8037c65166", - "description": "Add control implementation description here for statement ac-20_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ca11e616-e671-4dd9-9da8-0b3e53d6a658", + "description": "Add control implementation description here for item ca-3_smt.c" } ] } ] }, { - "uuid": "a34c49b7-804d-46a6-b0fe-ccc4393498f2", - "control-id": "ac-20", + "uuid": "ae5e6c26-270d-4210-b16e-107a24e5eb61", + "control-id": "ca-5", "statements": [ { - "statement-id": "ac-20_smt.b", - "uuid": "db705386-d6fb-4ebd-bbc4-db15fdc74641", + "statement-id": "ca-5_smt.a", + "uuid": "4373b640-a329-4115-a030-f8f0dddf7e52", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "68f7d260-645a-4950-ae2e-70966b74095f", - "description": "Add control implementation description here for statement ac-20_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "20099967-452c-4287-9b7c-21e85185daa0", + "description": "Add control implementation description here for item ca-5_smt.a" + } + ] + }, + { + "statement-id": "ca-5_smt.b", + "uuid": "5c320ed4-55fc-4c42-9bbf-1651547fdda5", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2d4434a3-fdd6-4340-a6ed-f6ddb2a86f72", + "description": "Add control implementation description here for item ca-5_smt.b" } ] } ] }, { - "uuid": "9473f4de-cf83-4d61-a7f8-0b3531156202", - "control-id": "ac-1", + "uuid": "c0fd6ae2-614b-4a36-b0c3-812ae9bb277e", + "control-id": "ca-6", "statements": [ { - "statement-id": "ac-1_smt.a", - "uuid": "570cdbcb-ce05-453b-8ca4-2750fc2ab247", + "statement-id": "ca-6_smt.a", + "uuid": "a3faa2a4-29b0-412c-9452-2bc5b5c66270", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2a7cff34-d376-490b-9466-48a5853e4be7", + "description": "Add control implementation description here for item ca-6_smt.a" + } + ] + }, + { + "statement-id": "ca-6_smt.b", + "uuid": "de9c3d28-fb42-4316-a4d6-359d5deeda62", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7f3ef9fd-7b2d-4d02-874a-f8de469b98ea", + "description": "Add control implementation description here for item ca-6_smt.b" + } + ] + }, + { + "statement-id": "ca-6_smt.c", + "uuid": "62353ed3-28a3-4a68-8732-0b4911cfd594", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a63b89b1-3f0a-4d60-aa59-7a4479b7f0e3", + "description": "Add control implementation description here for item ca-6_smt.c" + } + ] + }, + { + "statement-id": "ca-6_smt.d", + "uuid": "1692f7ef-b05c-4ca8-828b-520402bf42f0", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f016c777-3c61-44d9-853d-73476393bb22", + "description": "Add control implementation description here for item ca-6_smt.d" + } + ] + }, + { + "statement-id": "ca-6_smt.e", + "uuid": "6c53fbae-c408-416c-bfb8-8f9117fa661e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "34917838-69e9-4952-9477-c0ff6fda73b4", - "description": "ACME CISO is responsible for setting the organisation access control policies, and in The access control policies at a global level are reviewed on an annual cycle. ACME CISO also review access control policy whenever ACME legal and/or Compliance teams identify access control obligations." + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "69dc7664-9ee8-466f-8f6e-1ddb8a00da0b", + "description": "Add control implementation description here for item ca-6_smt.e" } ] } ] }, { - "uuid": "a2f13418-818f-4980-9f63-812cc7a709a0", - "control-id": "ac-1", + "uuid": "2b027611-7cb4-40d6-9f6f-cdd20a5f5113", + "control-id": "ca-7", "statements": [ { - "statement-id": "ac-1_smt.b", - "uuid": "f91ae6a5-9f00-486e-998a-930a3d17e799", + "statement-id": "ca-7_smt.a", + "uuid": "aa1a510d-2a57-41ef-9ecd-61e948b61ab2", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "685b9493-0ee9-4219-ac12-84a71a058cc9", + "description": "Add control implementation description here for item ca-7_smt.a" + } + ] + }, + { + "statement-id": "ca-7_smt.b", + "uuid": "134c63a2-69af-4c14-b20b-2aae90551125", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "19a69c4a-2fc3-4408-aeee-4faa386a3e4c", + "description": "Add control implementation description here for item ca-7_smt.b" + } + ] + }, + { + "statement-id": "ca-7_smt.c", + "uuid": "750f2e7a-c131-43be-8bb0-0af5d858c877", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7898ef9b-7e02-4f57-bcd0-ca857406c928", - "description": "Add control implementation description here for statement ac-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4ab99b74-4fb0-4bc7-9e79-c5aa2540f8aa", + "description": "Add control implementation description here for item ca-7_smt.c" + } + ] + }, + { + "statement-id": "ca-7_smt.d", + "uuid": "48690e07-bb36-4341-a009-8cee7b6aefe3", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0943f29c-72fa-41a4-bb35-7acdb6d95959", + "description": "Add control implementation description here for item ca-7_smt.d" + } + ] + }, + { + "statement-id": "ca-7_smt.e", + "uuid": "b8edf63e-fb51-4923-a43c-cc85020ce738", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "45e45e6b-4e6e-4cd6-97a3-59c2edbe3eab", + "description": "Add control implementation description here for item ca-7_smt.e" + } + ] + }, + { + "statement-id": "ca-7_smt.f", + "uuid": "94997bc4-78bb-4e77-9b43-720ce3db9a06", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1fd09f29-b723-4359-b0b7-522faa4787db", + "description": "Add control implementation description here for item ca-7_smt.f" + } + ] + }, + { + "statement-id": "ca-7_smt.g", + "uuid": "157b987f-142c-463a-ac6a-f35d3db279ac", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0f14198e-34ea-4795-8c2a-ad8615aa8f18", + "description": "Add control implementation description here for item ca-7_smt.g" } ] } ] }, { - "uuid": "f1f0b260-cc63-44ef-8dab-971617ac6647", - "control-id": "ac-1", + "uuid": "880a47ca-4f9a-4a00-b334-8273841bad44", + "control-id": "ca-7.4", "statements": [ { - "statement-id": "ac-1_smt.c", - "uuid": "60b85fab-f113-4d9b-a4b4-c046d45174e6", + "statement-id": "ca-7.4_smt.a", + "uuid": "bd19d2dd-db1b-4f72-9489-9019e050f669", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1e780336-8ad5-4dc4-88aa-4e59b22ded09", + "description": "Add control implementation description here for item ca-7.4_smt.a" + } + ] + }, + { + "statement-id": "ca-7.4_smt.b", + "uuid": "4b130725-4c65-4c29-85a5-edc7ae52ab83", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d1594072-d75b-44d5-8af3-890e6a263686", + "description": "Add control implementation description here for item ca-7.4_smt.b" + } + ] + }, + { + "statement-id": "ca-7.4_smt.c", + "uuid": "a97e90d0-5d0a-4d09-88e4-9eeeee943a74", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "53d018c9-129d-49bf-87f4-8912e6bcceab", - "description": "Add control implementation description here for statement ac-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d29951f8-838d-4ec8-9654-54bbf5487b55", + "description": "Add control implementation description here for item ca-7.4_smt.c" } ] } ] }, { - "uuid": "501ea663-2f85-42ed-a617-4c29ebd69261", - "control-id": "ma-2", + "uuid": "9ef03fd9-8d15-4a0f-a2a3-1296a23ca3a2", + "control-id": "ca-9", "statements": [ { - "statement-id": "ma-2_smt.a", - "uuid": "7acd3ff1-1ac9-4a25-b5c3-a83cf5cb5cbf", + "statement-id": "ca-9_smt.a", + "uuid": "38fef2c2-c748-4e92-8ce5-44999de1caab", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d2cd736f-e204-490d-b9ce-78660d6417b8", - "description": "Add control implementation description here for statement ma-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ccb5e4ef-12f5-4797-ab22-0a0074f2376f", + "description": "Add control implementation description here for item ca-9_smt.a" } ] - } - ] - }, - { - "uuid": "a32ee91a-a0ad-4f7f-a441-6aea4035d00c", - "control-id": "ma-2", - "statements": [ + }, { - "statement-id": "ma-2_smt.b", - "uuid": "725ca63e-bb6d-4887-8903-7f50777da36f", + "statement-id": "ca-9_smt.b", + "uuid": "226f1082-542a-4316-a958-586f9d36e647", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bc2bbd74-8c87-4d4a-b304-949eb4ded96f", - "description": "Add control implementation description here for statement ma-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bda8f419-45a7-4944-af95-543a1b4a0540", + "description": "Add control implementation description here for item ca-9_smt.b" } ] - } - ] - }, - { - "uuid": "c4b5bb1c-9556-44af-9c8b-18de07e08986", - "control-id": "ma-2", - "statements": [ + }, { - "statement-id": "ma-2_smt.c", - "uuid": "cfb3f18f-4848-4f2e-b155-9069f53df921", + "statement-id": "ca-9_smt.c", + "uuid": "6c2cce54-bf49-40c9-987e-400f20378dbd", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c6ab2062-22e7-4fd4-960e-35bde2089897", - "description": "Add control implementation description here for statement ma-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9e7c5168-34d4-4979-b5be-010ce462289c", + "description": "Add control implementation description here for item ca-9_smt.c" } ] - } - ] - }, - { - "uuid": "cc00ff3e-21a4-41b6-82e4-cffd7395ac2f", - "control-id": "ma-2", - "statements": [ + }, { - "statement-id": "ma-2_smt.d", - "uuid": "42861fd0-cf2c-444c-aa24-a4933866cf23", + "statement-id": "ca-9_smt.d", + "uuid": "56685481-56a2-4b1a-9684-634c8ab146b7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "87a6aaad-7a53-49ea-9432-b1e0bace94e8", - "description": "Add control implementation description here for statement ma-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cb2d0015-150f-42ca-af25-240a89635504", + "description": "Add control implementation description here for item ca-9_smt.d" } ] } ] }, { - "uuid": "dc6385d5-2f62-4c98-b1e4-7a8e00aaa8df", - "control-id": "ma-2", + "uuid": "5dde093d-a561-44a6-be01-d08479260e2d", + "control-id": "cm-1", "statements": [ { - "statement-id": "ma-2_smt.e", - "uuid": "b417ccaf-9e69-4827-a116-ade1e11c78e9", + "statement-id": "cm-1_smt.a", + "uuid": "19432734-6571-4a20-b9ab-eddaee8a5ee0", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3ae7cbc9-cc82-44fb-9ad9-92599c7f3940", - "description": "Add control implementation description here for statement ma-2_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "06e1a306-a04a-4024-81ad-4e5c1533bc4f", + "description": "Add control implementation description here for item cm-1_smt.a" } ] - } - ] - }, - { - "uuid": "48d2ec63-4491-420f-b4a7-1018d59b432c", - "control-id": "ma-2", - "statements": [ + }, { - "statement-id": "ma-2_smt.f", - "uuid": "cdd278aa-1143-4269-9ab5-4acd549e4b93", + "statement-id": "cm-1_smt.b", + "uuid": "e8b5773e-2408-4917-820c-2442d503e34d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "12457f1d-b349-4102-9ff6-205a34a43c19", - "description": "Add control implementation description here for statement ma-2_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9f330efd-c826-4890-b739-b19b72d68a0f", + "description": "Add control implementation description here for item cm-1_smt.b" } ] - } - ] - }, - { - "uuid": "170fe5c2-a111-4a5b-81be-d91276b0be7e", - "control-id": "ma-5", - "statements": [ + }, { - "statement-id": "ma-5_smt.a", - "uuid": "61c0a2d2-4303-4a99-b8f3-63c46132f28e", + "statement-id": "cm-1_smt.c", + "uuid": "7534003f-491e-410e-a69b-93ccc9025f16", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6ad9c898-99fb-470f-a35c-cfd96783a269", - "description": "Add control implementation description here for statement ma-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c690dbf2-0370-4f80-9451-43e731664278", + "description": "Add control implementation description here for item cm-1_smt.c" } ] } ] }, { - "uuid": "a315c040-e97e-4192-81f4-466cf1771a15", - "control-id": "ma-5", + "uuid": "8e5998c5-a464-4082-8418-63ad19915c1c", + "control-id": "cm-2", "statements": [ { - "statement-id": "ma-5_smt.b", - "uuid": "9dd835b6-282b-460d-91ae-56685f179156", + "statement-id": "cm-2_smt.a", + "uuid": "d53861fa-8de4-4c3b-8501-c6a8432bd2e8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6cbf4626-9480-48d4-8d20-d7d9f70d3258", - "description": "Add control implementation description here for statement ma-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "aae7d42a-595c-4e3c-9dec-2fdc43a36c91", + "description": "Add control implementation description here for item cm-2_smt.a" } ] - } - ] - }, - { - "uuid": "51e5c75f-9c41-4969-b863-04f93505d1b8", - "control-id": "ma-5", - "statements": [ + }, { - "statement-id": "ma-5_smt.c", - "uuid": "00b04160-3094-4266-a848-bc423d1199e0", + "statement-id": "cm-2_smt.b", + "uuid": "cfcabd0c-a303-4ca2-801a-a56d606147e8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "fcbbb586-6d5e-4d90-9187-da8bb3e9dbf5", - "description": "Add control implementation description here for statement ma-5_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fa677992-c1d9-4e71-a1a7-61447a4d78a5", + "description": "Add control implementation description here for item cm-2_smt.b" } ] } ] }, { - "uuid": "33bb765f-e7e5-4275-9469-a42680dec0f7", - "control-id": "ma-1", + "uuid": "eb8faf31-1115-4c65-b010-144260439efb", + "control-id": "cm-4", "statements": [ { - "statement-id": "ma-1_smt.a", - "uuid": "4f28b5d3-df6b-4d94-a8df-fb60378099ba", + "statement-id": "cm-4_smt", + "uuid": "54b0e537-b687-40be-af54-9484e7c2f9e2", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "62e38c72-ba44-4bcb-9228-6673e5f2d2a0", - "description": "Add control implementation description here for statement ma-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b2f5f98a-6db1-45ef-a1d4-c009c81af006", + "description": "Add control implementation description here for control cm-4" } ] } ] }, { - "uuid": "53b9a9dc-8b07-4777-b00f-30457f4d31ed", - "control-id": "ma-1", + "uuid": "620ba024-cbf8-4257-93d0-9aca55c75664", + "control-id": "cm-5", "statements": [ { - "statement-id": "ma-1_smt.b", - "uuid": "efe6aea3-8321-4ff4-bf87-f4218c6bd822", + "statement-id": "cm-5_smt", + "uuid": "44044157-f248-47b6-81a4-62f50188d7c1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "92f4f0ed-04b7-4ca0-9b85-b1b6e4135b93", - "description": "Add control implementation description here for statement ma-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "61201a01-428c-4acd-979f-e093538b0225", + "description": "Add control implementation description here for control cm-5" } ] } ] }, { - "uuid": "0506610e-b4f3-4aa6-90f9-50e0adabbb76", - "control-id": "ma-1", + "uuid": "f8214d48-bc88-4ab7-8c1e-84bb1368b19b", + "control-id": "cm-6", "statements": [ { - "statement-id": "ma-1_smt.c", - "uuid": "b1f15a42-a66a-4ae7-8fa9-c9465fa535c4", + "statement-id": "cm-6_smt.a", + "uuid": "0a4040a1-b923-4ce3-97d3-a50f36183d01", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0ab006be-6f1f-4b74-bc80-9420d7c64e26", - "description": "Add control implementation description here for statement ma-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f9584a49-9135-4d64-ae3e-34757f432a0b", + "description": "Add control implementation description here for item cm-6_smt.a" } ] - } - ] - }, - { - "uuid": "2a6dc069-9be2-41a8-9109-545c1bd5ebfa", - "control-id": "ma-4", - "statements": [ + }, { - "statement-id": "ma-4_smt.a", - "uuid": "3ede6c05-4cc3-4c27-946b-cb18886dfff8", + "statement-id": "cm-6_smt.b", + "uuid": "9a874b55-542f-4873-92c6-1e55920e1f9e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "42a60413-ad27-4960-b52a-0778417fc604", - "description": "Add control implementation description here for statement ma-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "22ad4021-bb60-44be-98dd-bf2bc61a2338", + "description": "Add control implementation description here for item cm-6_smt.b" } ] - } - ] - }, - { - "uuid": "9fd86a88-93c0-4507-a61d-85c13e4b5af1", - "control-id": "ma-4", - "statements": [ + }, { - "statement-id": "ma-4_smt.b", - "uuid": "2209629a-ad88-46fb-a3a2-265d46fb6594", + "statement-id": "cm-6_smt.c", + "uuid": "02d5e586-1854-4f8a-8674-da59204be98b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "943526ae-8119-4376-9a44-29bc6eda126f", - "description": "Add control implementation description here for statement ma-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0655a7e1-9884-48b9-968b-bef78b88539c", + "description": "Add control implementation description here for item cm-6_smt.c" } ] - } - ] - }, - { - "uuid": "e90066db-2b9b-4b23-bb54-1f831eddf514", - "control-id": "ma-4", - "statements": [ + }, { - "statement-id": "ma-4_smt.c", - "uuid": "e1885ad8-e963-49a6-8235-635f791e1bf5", + "statement-id": "cm-6_smt.d", + "uuid": "f8b0fe45-e840-47af-81e4-59af4e3357e0", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6152ebd7-8bd9-444b-a0e9-18316150009b", - "description": "Add control implementation description here for statement ma-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "63e84e1d-401a-4374-935f-cde6663d333b", + "description": "Add control implementation description here for item cm-6_smt.d" } ] } ] }, { - "uuid": "1a7593c0-3079-4a4b-86b3-f5c2d5ff5fd3", - "control-id": "ma-4", + "uuid": "21f4aeae-a285-4c6b-96c5-660a685e38b5", + "control-id": "cm-7", "statements": [ { - "statement-id": "ma-4_smt.d", - "uuid": "15477a57-f602-42b4-ab57-9a61b76192ee", + "statement-id": "cm-7_smt.a", + "uuid": "2360c85e-a7b6-417c-9ac0-9ced66e9f500", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "58b7cbd8-c2c6-48d5-bf34-d70145c68085", - "description": "Add control implementation description here for statement ma-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "626b7712-58ac-43b9-b6b1-3eb4372b876f", + "description": "Add control implementation description here for item cm-7_smt.a" } ] - } - ] - }, - { - "uuid": "0a31b3d6-0603-4ad7-b731-22588f37bace", - "control-id": "ma-4", - "statements": [ + }, { - "statement-id": "ma-4_smt.e", - "uuid": "1c406c29-ab30-42e1-b9c4-72d499e153e6", + "statement-id": "cm-7_smt.b", + "uuid": "86e48acc-0a7b-49a7-817b-72d88459cb6b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e13051ee-9abd-4c9e-8d8f-ecb8d6ad6157", - "description": "Add control implementation description here for statement ma-4_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5f63a1cc-a984-40a8-ac9d-a3d2fe8b4380", + "description": "Add control implementation description here for item cm-7_smt.b" } ] } ] }, { - "uuid": "9716c434-aa8c-47bd-a7a7-ff6a21747536", - "control-id": "ir-8", + "uuid": "91f09af6-3ee5-4916-85f2-22462926d86b", + "control-id": "cm-8", "statements": [ { - "statement-id": "ir-8_smt.a", - "uuid": "a219936a-27c5-42bc-99e9-8b3c4cf3687e", + "statement-id": "cm-8_smt.a", + "uuid": "22f3a8eb-f6fb-4b71-86da-8e006ff1ed22", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "53cf5765-6eb6-4011-8e04-509fb563fb96", - "description": "Add control implementation description here for statement ir-8_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "41666b31-8c7e-4826-b2df-74b230b5f0ac", + "description": "Add control implementation description here for item cm-8_smt.a" } ] - } - ] - }, - { - "uuid": "8b43367c-8c07-413e-9119-a4bfee06c3c9", - "control-id": "ir-8", - "statements": [ + }, { - "statement-id": "ir-8_smt.b", - "uuid": "d51ee6b0-3a60-4c40-9e3d-13f910dc566e", + "statement-id": "cm-8_smt.b", + "uuid": "c674e54e-e614-416e-8542-70f913e317c8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6160b91c-c04d-40bd-9df2-1f947f1b9f76", - "description": "Add control implementation description here for statement ir-8_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1136fd03-34df-4236-94e3-f659f2164f7f", + "description": "Add control implementation description here for item cm-8_smt.b" } ] } ] }, { - "uuid": "2c8fafde-9a05-4536-b0c0-1a662adde30d", - "control-id": "ir-8", + "uuid": "2b84bdf9-f70d-4a60-921d-e139b55ed63d", + "control-id": "cm-10", "statements": [ { - "statement-id": "ir-8_smt.c", - "uuid": "7f8e6385-c512-457a-a464-2a807dbd6bc6", + "statement-id": "cm-10_smt.a", + "uuid": "b7b3caa6-b594-457c-b720-e1c1929a2736", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "24d8a49a-76d9-4a29-ac7b-f42975318f63", - "description": "Add control implementation description here for statement ir-8_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2cab5c7a-9cb8-4aa8-9684-b389cd64c8f1", + "description": "Add control implementation description here for item cm-10_smt.a" } ] - } - ] - }, - { - "uuid": "75ad577c-e249-4d0e-ad18-3a538a28f024", - "control-id": "ir-8", - "statements": [ + }, { - "statement-id": "ir-8_smt.d", - "uuid": "720ac12d-ac63-4429-86c5-c447713729e8", + "statement-id": "cm-10_smt.b", + "uuid": "4bb3ee2d-4bab-4e36-bd62-a88c540c83c3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a4225154-fe23-413a-a5b4-9c7846975282", - "description": "Add control implementation description here for statement ir-8_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e3736365-2e42-44de-96a6-ee0a0f688cc1", + "description": "Add control implementation description here for item cm-10_smt.b" } ] - } - ] - }, - { - "uuid": "00ac705d-7565-43fb-b8ce-e1e46e3cf82d", - "control-id": "ir-8", - "statements": [ + }, { - "statement-id": "ir-8_smt.e", - "uuid": "e0b0521b-5a6b-4a01-b9ae-e792717a565e", + "statement-id": "cm-10_smt.c", + "uuid": "cc29c0f1-1cc3-413b-a102-2a3f8a0cbf30", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6dffcf9a-a61c-458d-ab8f-39f74ce3974c", - "description": "Add control implementation description here for statement ir-8_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9df4d6b3-b69f-4f30-ad2e-0e6bb9c800af", + "description": "Add control implementation description here for item cm-10_smt.c" } ] } ] }, { - "uuid": "d41fc1da-2545-4466-ba4c-fa003c724df0", - "control-id": "ir-6", + "uuid": "572cdd86-e33c-41c6-990e-d6170b0571cf", + "control-id": "cm-11", "statements": [ { - "statement-id": "ir-6_smt.a", - "uuid": "f17a5806-253f-443a-a70c-69e27a703c0e", + "statement-id": "cm-11_smt.a", + "uuid": "f72cf780-e662-46bf-a3a1-bbc9d6e0bcbb", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "22bfb924-94f6-4ab1-b04e-39d1004afe67", - "description": "Add control implementation description here for statement ir-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "41da5241-61c7-4a75-9b32-3cd8c1cd0698", + "description": "Add control implementation description here for item cm-11_smt.a" } ] - } - ] - }, - { - "uuid": "59d76663-5ab0-4dfe-a868-8df137386497", - "control-id": "ir-6", - "statements": [ + }, { - "statement-id": "ir-6_smt.b", - "uuid": "68d200ab-c38d-42b3-8b3a-cc19742fa676", + "statement-id": "cm-11_smt.b", + "uuid": "cb27669d-a74a-4309-9dd6-8cc2e67c70b3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d15b6658-45fb-4b5e-9bc5-55c0b85b15bf", - "description": "Add control implementation description here for statement ir-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "74dc5ada-7ea7-4b1d-9b5f-53080e7c8d00", + "description": "Add control implementation description here for item cm-11_smt.b" } ] - } - ] - }, - { - "uuid": "9b7f2384-6af7-4b58-ad58-3bbf907a9faa", - "control-id": "ir-2", - "statements": [ + }, { - "statement-id": "ir-2_smt.a", - "uuid": "1839cfd3-8cea-4443-8848-d3bb8c5376f4", + "statement-id": "cm-11_smt.c", + "uuid": "31d4ce68-297c-4051-b49d-fc0e2b9ad30c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6bb3f393-174a-4d94-a698-00e4f8cab994", - "description": "Add control implementation description here for statement ir-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c7767526-6201-4640-b151-144e98f18f81", + "description": "Add control implementation description here for item cm-11_smt.c" } ] } ] }, { - "uuid": "58f48479-2b43-4a42-94d9-6e7689dd5212", - "control-id": "ir-2", + "uuid": "6f5473fc-78e9-439d-878f-3d915dc8f756", + "control-id": "cp-1", "statements": [ { - "statement-id": "ir-2_smt.b", - "uuid": "200c1559-f048-4576-a74a-e7ef17b2d945", + "statement-id": "cp-1_smt.a", + "uuid": "3311daf1-bcf3-406f-b242-e7e0cbac6a36", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "971afcf5-4cbb-4617-88fc-1b647c18cfe0", - "description": "Add control implementation description here for statement ir-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "10c3fec4-d7f8-4d9b-b2dc-3a5335c7d141", + "description": "Add control implementation description here for item cp-1_smt.a" } ] - } - ] - }, - { - "uuid": "1be80703-4d72-40d9-a1a1-b0aef9539c98", - "control-id": "ir-4", - "statements": [ + }, { - "statement-id": "ir-4_smt.a", - "uuid": "f38b3b12-1bff-44e3-bb3b-75f789380d31", + "statement-id": "cp-1_smt.b", + "uuid": "bb42698e-e326-4e36-a4b2-2207da7dda00", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "72902a5e-33ef-4b13-acc7-cf18bb773374", - "description": "Add control implementation description here for statement ir-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "da22aaa3-b5f7-48cc-9cd8-ce329cab7e82", + "description": "Add control implementation description here for item cp-1_smt.b" } ] - } - ] - }, - { - "uuid": "7f17f5ce-8961-46f7-8108-3a7c94aaf130", - "control-id": "ir-4", - "statements": [ + }, { - "statement-id": "ir-4_smt.b", - "uuid": "7b23f75b-ac84-40a2-8da2-1c06efca7849", + "statement-id": "cp-1_smt.c", + "uuid": "575c25b0-3cf3-4ad2-95ea-71966fb3e4c7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2117f9a8-122a-422e-ac69-6e74b54e4699", - "description": "Add control implementation description here for statement ir-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "54ad863a-3fdf-492d-bddb-05326442ed0e", + "description": "Add control implementation description here for item cp-1_smt.c" } ] } ] }, { - "uuid": "84eafa9a-1376-4b71-a170-1fa3eebbdb7f", - "control-id": "ir-4", + "uuid": "0ed0e4c3-cdf1-40f7-b92b-691bdba58136", + "control-id": "cp-2", "statements": [ { - "statement-id": "ir-4_smt.c", - "uuid": "763b3997-245f-4652-858d-aa7526120c2a", + "statement-id": "cp-2_smt.a", + "uuid": "5c0a1bfe-2ab9-404e-92d6-73694ab6e335", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "425d4e24-9134-425d-a1d3-52aef1d12177", - "description": "Add control implementation description here for statement ir-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f7949101-1157-43ee-acb2-d488e575154d", + "description": "Add control implementation description here for item cp-2_smt.a" } ] - } - ] - }, - { - "uuid": "47fadb69-90e1-4a47-9a9c-43c3abfcb40a", - "control-id": "ir-4", - "statements": [ + }, { - "statement-id": "ir-4_smt.d", - "uuid": "a9cb7394-0f4d-4d7b-8abb-0e63880891e9", + "statement-id": "cp-2_smt.b", + "uuid": "b1571801-7ab2-41b0-81b9-3c3e3430cc53", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "80390acd-81c1-440d-bf3e-bc78b50f9608", - "description": "Add control implementation description here for statement ir-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b42a2a93-a42d-4148-99f0-23d84f8a52b0", + "description": "Add control implementation description here for item cp-2_smt.b" } ] - } - ] - }, - { - "uuid": "36f1c96f-0aee-48fc-809b-45ad7121583d", - "control-id": "ir-1", - "statements": [ + }, { - "statement-id": "ir-1_smt.a", - "uuid": "d280ecbe-8fc1-47cf-8d8e-57cf3a2b3cd4", + "statement-id": "cp-2_smt.c", + "uuid": "c2664f6b-a7ac-47bd-b3c4-6641fada9360", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1d9b3c84-5684-4eab-820f-451db904a61d", - "description": "Add control implementation description here for statement ir-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ac63af4a-eaa0-47b3-a227-681db13b5b70", + "description": "Add control implementation description here for item cp-2_smt.c" } ] - } - ] - }, - { - "uuid": "c3960fa9-fea8-45d6-924d-728dbe15b255", - "control-id": "ir-1", - "statements": [ + }, { - "statement-id": "ir-1_smt.b", - "uuid": "e015b666-8d7f-4b22-9d86-c24daada50b1", + "statement-id": "cp-2_smt.d", + "uuid": "667ce5b7-e0b5-420e-8e48-2ce377b24db4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "cca379f6-6aee-4a2b-bec9-5c81caaa2bd1", - "description": "Add control implementation description here for statement ir-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f0e7bb9d-abee-46c4-a58e-35cb02488396", + "description": "Add control implementation description here for item cp-2_smt.d" } ] - } - ] - }, - { - "uuid": "b36904ab-8146-4d96-ba94-6f2e9b0910f9", - "control-id": "ir-1", - "statements": [ + }, { - "statement-id": "ir-1_smt.c", - "uuid": "5ff5f4b5-aae5-4b0c-8145-154ab1c66c2c", + "statement-id": "cp-2_smt.e", + "uuid": "c7294914-3177-4778-8efa-8d00bd3ba3c7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6a46483c-1df8-4670-90d3-70d2070b3c37", - "description": "Add control implementation description here for statement ir-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6c12447a-ad59-4e22-8f39-45ec3dce2d9b", + "description": "Add control implementation description here for item cp-2_smt.e" } ] - } - ] - }, - { - "uuid": "7a0f18d8-4116-45b4-bca7-cfc7ed31a3d7", - "control-id": "ca-5", - "statements": [ + }, { - "statement-id": "ca-5_smt.a", - "uuid": "5d212861-ad3b-46f4-9eeb-6ae9d12eaa21", + "statement-id": "cp-2_smt.f", + "uuid": "d160bd3a-8518-4173-9ff9-44d47397f7f6", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "261adaff-8c29-4946-a429-b847b4a7981d", - "description": "Add control implementation description here for statement ca-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "265d06c7-9960-4fc6-954f-18b8278df833", + "description": "Add control implementation description here for item cp-2_smt.f" } ] - } - ] - }, - { - "uuid": "4b57b7ac-17e5-4ad3-a0ad-011630c97ef4", - "control-id": "ca-5", - "statements": [ + }, + { + "statement-id": "cp-2_smt.g", + "uuid": "dab50fe9-6a81-4922-8df5-027517d2b9ae", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6e736060-bfce-477b-87c9-87785cf48765", + "description": "Add control implementation description here for item cp-2_smt.g" + } + ] + }, { - "statement-id": "ca-5_smt.b", - "uuid": "c80dc9a0-1690-4980-a3ef-fa6f00c2b998", + "statement-id": "cp-2_smt.h", + "uuid": "3a187b12-6923-4770-8a38-7a2e5b78cafc", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f71e2509-2951-4ab5-bf8e-8dc3c59f6681", - "description": "Add control implementation description here for statement ca-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6ca2d958-a4d7-47d7-a959-e9961fb89d23", + "description": "Add control implementation description here for item cp-2_smt.h" } ] } ] }, { - "uuid": "2ce31377-985b-472e-9e7b-50c33da0f05e", - "control-id": "ca-1", + "uuid": "f1feafef-95e7-440a-a1a4-e06f729da9df", + "control-id": "cp-3", "statements": [ { - "statement-id": "ca-1_smt.a", - "uuid": "d89a8471-505c-4f1b-abea-a7c9f275b4b7", + "statement-id": "cp-3_smt.a", + "uuid": "bf5394e0-8954-489c-9afb-0bfd7befbb01", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b6ffe057-39b0-4050-b3b4-0dbed8e4c0bd", - "description": "Add control implementation description here for statement ca-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "02d17edd-885e-4603-ae79-a69531c1395e", + "description": "Add control implementation description here for item cp-3_smt.a" } ] - } - ] - }, - { - "uuid": "cfbc8890-57c2-4d1c-b914-01807c4d45d2", - "control-id": "ca-1", - "statements": [ + }, { - "statement-id": "ca-1_smt.b", - "uuid": "755a78c8-23a1-48a9-94ac-1bb2d213e2c4", + "statement-id": "cp-3_smt.b", + "uuid": "ee7f46f8-dcf8-48b6-baad-d0f34d0e8c05", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "044144a0-dd83-4052-87c6-e1d469017fdc", - "description": "Add control implementation description here for statement ca-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "03bd0b0f-1151-4839-9dcb-b6440b77e05d", + "description": "Add control implementation description here for item cp-3_smt.b" } ] } ] }, { - "uuid": "2e9a8a82-58d2-462a-b19a-2306f018ddb7", - "control-id": "ca-1", + "uuid": "f58adecb-f6aa-4997-9da7-42d59051ead2", + "control-id": "cp-4", "statements": [ { - "statement-id": "ca-1_smt.c", - "uuid": "648b4fa5-5c1b-4693-a3bd-bf15d84ce16e", + "statement-id": "cp-4_smt.a", + "uuid": "04e46863-8501-4249-9639-babec8daf767", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "215ae68f-2652-4ff6-8e6d-e32bd21ef2a4", - "description": "Add control implementation description here for statement ca-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7e18b9f5-c676-467d-a360-b0b6ea6758fd", + "description": "Add control implementation description here for item cp-4_smt.a" } ] - } - ] - }, - { - "uuid": "04b24821-31f1-4faf-8484-1a38bd59842f", - "control-id": "ca-9", - "statements": [ + }, { - "statement-id": "ca-9_smt.a", - "uuid": "8f7d2873-f327-468a-8398-e39dc933d707", + "statement-id": "cp-4_smt.b", + "uuid": "1d8aff09-fe04-457f-9f5e-8a03ba70adee", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "802bb467-baeb-4ea3-b72b-1647a91cfe4c", - "description": "Add control implementation description here for statement ca-9_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0f06e521-bb30-4be4-8c67-2fa2161a21a7", + "description": "Add control implementation description here for item cp-4_smt.b" } ] - } - ] - }, - { - "uuid": "9e77e815-24cd-4d27-8420-92bcb68e2b6c", - "control-id": "ca-9", - "statements": [ + }, { - "statement-id": "ca-9_smt.b", - "uuid": "8f1aaa7e-c591-4c2f-8f76-cfd54fc6b3e4", + "statement-id": "cp-4_smt.c", + "uuid": "7e79250a-64a4-4549-b257-9d71b8efccea", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4afbe88a-6a31-4186-ba58-8bd411e36e13", - "description": "Add control implementation description here for statement ca-9_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f4af08b8-2b10-4bc1-b77a-42af7e64f9d9", + "description": "Add control implementation description here for item cp-4_smt.c" } ] } ] }, { - "uuid": "8e11c7ba-0321-463a-a1c7-4d451fdde4fb", - "control-id": "ca-9", + "uuid": "69b400f4-6e05-473c-aecb-56117d090832", + "control-id": "cp-9", "statements": [ { - "statement-id": "ca-9_smt.c", - "uuid": "766fc6bd-cc49-48d5-8593-cd343d6f5c79", + "statement-id": "cp-9_smt.a", + "uuid": "4cf5e062-154e-46cb-aac9-ac1a61aabf06", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "31cfd0a3-4fa2-474c-b7e0-0b924a17de6c", - "description": "Add control implementation description here for statement ca-9_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "88e34b0f-3215-485d-92ee-2956574da9f8", + "description": "Add control implementation description here for item cp-9_smt.a" } ] - } - ] - }, - { - "uuid": "a0542c78-0f99-4f8b-a2f8-be467a80768e", - "control-id": "ca-9", - "statements": [ + }, { - "statement-id": "ca-9_smt.d", - "uuid": "fe42a34d-8c52-4797-8593-24fb8b109a4e", + "statement-id": "cp-9_smt.b", + "uuid": "fd5b7748-8eff-4729-bdce-e6a63ea2ed65", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "41424549-1c0c-436f-bc9d-7e2ff594f819", - "description": "Add control implementation description here for statement ca-9_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "419d3ca9-af06-432d-874d-1fad1418d33b", + "description": "Add control implementation description here for item cp-9_smt.b" } ] - } - ] - }, - { - "uuid": "c9445a1b-db5f-443a-ba3b-60c189d31851", - "control-id": "ca-7.4", - "statements": [ + }, { - "statement-id": "ca-7.4_smt.a", - "uuid": "c125e9ae-1195-4fb2-818a-da45ebf4ed65", + "statement-id": "cp-9_smt.c", + "uuid": "91b3a750-dc9d-4938-a3c4-161b288c79aa", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9acfae4d-6f53-4999-a2bc-86ad13a6a328", - "description": "Add control implementation description here for statement ca-7.4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f1650f6e-fc51-4bd2-99a6-b9b57af6bac0", + "description": "Add control implementation description here for item cp-9_smt.c" } ] - } - ] - }, - { - "uuid": "45a632c9-7920-4de2-979b-b07101e5efb9", - "control-id": "ca-7.4", - "statements": [ + }, { - "statement-id": "ca-7.4_smt.b", - "uuid": "017a56b7-3bcf-4cc5-b733-9f51e3ddc157", + "statement-id": "cp-9_smt.d", + "uuid": "2dada1af-c281-4aa5-a886-63166a52be72", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f615571a-7876-4633-9e60-b06461f8b002", - "description": "Add control implementation description here for statement ca-7.4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "619ab715-ac1a-4df0-8b15-923b7a5813d4", + "description": "Add control implementation description here for item cp-9_smt.d" } ] } ] }, { - "uuid": "71375bd4-7267-4f0e-9cb1-364448bb19cc", - "control-id": "ca-7.4", + "uuid": "586ce779-c751-425e-b61f-13e3a43801e2", + "control-id": "cp-10", "statements": [ { - "statement-id": "ca-7.4_smt.c", - "uuid": "f7a23d6f-0ac0-4765-b02d-ad8c5cf43964", + "statement-id": "cp-10_smt", + "uuid": "6fe19d4c-b467-494b-93ee-6cffbc48930f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e7bbb410-d3e5-4e9b-a134-853eb3e8c88a", - "description": "Add control implementation description here for statement ca-7.4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b341c282-52a9-45ec-8f6c-15faa60e0ff7", + "description": "Add control implementation description here for control cp-10" } ] } ] }, { - "uuid": "7c1eb7b8-5e52-4842-b9f1-a58460212c77", - "control-id": "ca-6", + "uuid": "5a8a12ac-cac8-4e69-b51d-0907119130da", + "control-id": "ia-1", "statements": [ { - "statement-id": "ca-6_smt.a", - "uuid": "6ba23ce6-b316-4532-bd7f-0467faf98c35", + "statement-id": "ia-1_smt.a", + "uuid": "b5db0927-4d5e-48bb-ae92-9ccfb3e4793a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3fb8830c-b329-466f-8d54-cbca66c9089c", - "description": "Add control implementation description here for statement ca-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "09c75b3e-1e5d-4464-9a74-890d30006c56", + "description": "Add control implementation description here for item ia-1_smt.a" } ] - } - ] - }, - { - "uuid": "beab0861-5d63-4174-bd21-2c26212322f1", - "control-id": "ca-6", - "statements": [ + }, { - "statement-id": "ca-6_smt.b", - "uuid": "dfe9f986-b351-43b4-9f48-03566dbfb88a", + "statement-id": "ia-1_smt.b", + "uuid": "29aa7f1d-af3c-4dd6-b619-f89eff1e6c7e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b7caf076-dd1a-4f2d-904a-7f784b66b725", - "description": "Add control implementation description here for statement ca-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e71f475b-bc5b-4063-938c-8cf9bd643a1d", + "description": "Add control implementation description here for item ia-1_smt.b" } ] - } - ] - }, - { - "uuid": "383611c0-fe55-4c25-992c-7084bd8c3b74", - "control-id": "ca-6", - "statements": [ + }, { - "statement-id": "ca-6_smt.c", - "uuid": "511c68f5-e399-4fd1-8bbe-4406378beb33", + "statement-id": "ia-1_smt.c", + "uuid": "3946c5d4-4650-4b87-8d40-9957819e73e4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "00f5fe2a-ac13-431e-9da2-34b3d5e4a7b1", - "description": "Add control implementation description here for statement ca-6_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9b4b35dc-15e5-4394-a493-3f9195260044", + "description": "Add control implementation description here for item ia-1_smt.c" } ] } ] }, { - "uuid": "894edef9-9672-4613-9510-bdfedf1734a2", - "control-id": "ca-6", + "uuid": "629d2342-6e52-4676-ae35-0900c76a45ca", + "control-id": "ia-2", "statements": [ { - "statement-id": "ca-6_smt.d", - "uuid": "6467c0bc-0445-482d-bec7-c2c187d71780", + "statement-id": "ia-2_smt", + "uuid": "221c07b7-de12-41ea-a4a4-2bf1f1335d11", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f1ace332-c0b1-4d47-b685-bc28e11a060e", - "description": "Add control implementation description here for statement ca-6_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e5682c13-0a8c-40e5-a070-257d39934631", + "description": "Add control implementation description here for control ia-2" } ] } ] }, { - "uuid": "38067961-4360-4387-a5a2-3e142097bce3", - "control-id": "ca-6", + "uuid": "67ad17f8-1687-4733-a3dd-ee470987f7d5", + "control-id": "ia-2.1", "statements": [ { - "statement-id": "ca-6_smt.e", - "uuid": "197c464d-3a01-4b4c-8fa4-2ca3d5ce3017", + "statement-id": "ia-2.1_smt", + "uuid": "394cf090-5204-4953-8e8e-a32ced8c46f1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "19847d97-df7f-4228-8f5c-607f930f6e83", - "description": "Add control implementation description here for statement ca-6_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e7802707-be16-4e63-a17b-b5ddde519722", + "description": "Add control implementation description here for control ia-2.1" } ] } ] }, { - "uuid": "3ac21ae8-9470-404b-85ef-cefa910fcc2b", - "control-id": "ca-2", + "uuid": "76edc0a7-653b-4304-8cd1-6b9b045c2f47", + "control-id": "ia-2.2", "statements": [ { - "statement-id": "ca-2_smt.a", - "uuid": "9ca2c993-a671-4eb7-a96f-1a45c07c1f9d", + "statement-id": "ia-2.2_smt", + "uuid": "b7722336-13b4-4fdf-a372-9574bf60ca1b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c648ddd0-58fe-4b2a-8b53-aae24e6053c8", - "description": "Add control implementation description here for statement ca-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "24c548ee-6477-4340-b318-991fda44ec6d", + "description": "Add control implementation description here for control ia-2.2" } ] } ] }, { - "uuid": "2e02e3d8-4338-4137-bd51-fffb0b2e7f82", - "control-id": "ca-2", + "uuid": "5b8adb08-2a58-4b99-b403-14e03562cea7", + "control-id": "ia-2.8", "statements": [ { - "statement-id": "ca-2_smt.b", - "uuid": "9fde8549-5031-4cfa-8119-1e7f1382b451", + "statement-id": "ia-2.8_smt", + "uuid": "449c8ff2-30cf-48c5-aa7c-f4699e2f2763", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "eaf82647-ca25-4bd9-b1eb-c332639c27b7", - "description": "Add control implementation description here for statement ca-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2639a489-c6b7-4eb1-b68a-69fffbe664f3", + "description": "Add control implementation description here for control ia-2.8" } ] } ] }, { - "uuid": "ab8e0f52-0741-4437-9239-9372faeeeaa7", - "control-id": "ca-2", + "uuid": "61fd83a9-756c-4571-93eb-b936a470b7f7", + "control-id": "ia-2.12", "statements": [ { - "statement-id": "ca-2_smt.c", - "uuid": "e331ec3e-3541-4561-8ae2-efb6d66224a6", + "statement-id": "ia-2.12_smt", + "uuid": "da1c7090-1661-477f-a2a3-f2dfb2eb34d4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "21615867-50e5-459c-a261-50df6ea6a741", - "description": "Add control implementation description here for statement ca-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1e8148cc-edf7-48d6-803c-b72aa1940486", + "description": "Add control implementation description here for control ia-2.12" } ] } ] }, { - "uuid": "fc148064-bfc7-4cc9-8b09-ec874c27076c", - "control-id": "ca-2", + "uuid": "e205763b-b558-4f66-9305-7dc186201bfe", + "control-id": "ia-4", "statements": [ { - "statement-id": "ca-2_smt.d", - "uuid": "3b128c28-6909-4b51-b7c2-630fd8465e59", + "statement-id": "ia-4_smt.a", + "uuid": "8f1979b7-52a8-4216-9486-4b326e73a691", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c34e01d6-9aea-4c83-a80c-8e23e922886b", - "description": "Add control implementation description here for statement ca-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "83a82585-41fd-43b6-a364-ebed0dd038a1", + "description": "Add control implementation description here for item ia-4_smt.a" } ] - } - ] - }, - { - "uuid": "63fdeec8-7d60-4279-9702-b33368071186", - "control-id": "ca-2", - "statements": [ + }, { - "statement-id": "ca-2_smt.e", - "uuid": "8347170b-a5a6-45b8-aa76-2c64b177d5ab", + "statement-id": "ia-4_smt.b", + "uuid": "34a3e52a-94a4-4ce5-a2dc-46fd6c1481ca", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "87c2cf34-41b9-4f75-9b75-7d5c3c52b20d", - "description": "Add control implementation description here for statement ca-2_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3f9881af-e64e-4b62-bf44-108e0eed4a62", + "description": "Add control implementation description here for item ia-4_smt.b" } ] - } - ] - }, - { - "uuid": "f1db6134-3ef5-4059-a5b0-4e1cd0355c32", - "control-id": "ca-2", - "statements": [ + }, { - "statement-id": "ca-2_smt.f", - "uuid": "c332bc8b-8203-49a2-9e11-8c70b15a79fa", + "statement-id": "ia-4_smt.c", + "uuid": "5240fbfa-0bee-4bd1-bc8f-9ad42470144b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "430c1c2f-7d89-4ed9-b013-c74c7467fc6e", - "description": "Add control implementation description here for statement ca-2_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "78f7c79d-7ea5-49a5-8e3b-19c56ae50d65", + "description": "Add control implementation description here for item ia-4_smt.c" } ] - } - ] - }, - { - "uuid": "5075f4d3-42d8-4b62-9aa4-3050e88f35e3", - "control-id": "ca-3", - "statements": [ + }, { - "statement-id": "ca-3_smt.a", - "uuid": "47843ef0-189e-41ab-9d58-79455fbc6c69", + "statement-id": "ia-4_smt.d", + "uuid": "0ecd3ea3-0a99-4eed-b68f-b9462e4a115a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2e0675cc-4ddf-4e87-affe-5c4cae2fa0ee", - "description": "Add control implementation description here for statement ca-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ef04557d-6d3c-4fc9-b90b-b5e7246da004", + "description": "Add control implementation description here for item ia-4_smt.d" } ] } ] }, { - "uuid": "1e34c563-5f1a-487c-b2c7-dcbace13333d", - "control-id": "ca-3", + "uuid": "6a16fadc-1a50-4313-a9a2-631c1bc005e3", + "control-id": "ia-5", "statements": [ { - "statement-id": "ca-3_smt.b", - "uuid": "5c3a64a2-a6e4-401c-bddd-3126a337c3d5", + "statement-id": "ia-5_smt.a", + "uuid": "78665434-1523-457e-b9cb-442cea9127ce", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a3315e2f-4a57-4b12-8e34-862aafd5b462", - "description": "Add control implementation description here for statement ca-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b1b8d440-9ea3-463f-a688-987fa69696a7", + "description": "Add control implementation description here for item ia-5_smt.a" } ] - } - ] - }, - { - "uuid": "f29f9974-58d2-4fa6-831a-903340f67014", - "control-id": "ca-3", - "statements": [ + }, { - "statement-id": "ca-3_smt.c", - "uuid": "1aabef8b-f63b-4f95-81b8-00dcfc7cc54e", + "statement-id": "ia-5_smt.b", + "uuid": "8e3a6f01-daad-4d8c-b94d-8ed0fc8499c2", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e2aff899-2e53-4ddb-ae43-74e9ef3703c1", - "description": "Add control implementation description here for statement ca-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e496aba2-6669-4a0f-96a0-21076afb6902", + "description": "Add control implementation description here for item ia-5_smt.b" } ] - } - ] - }, - { - "uuid": "836dfe27-0fc8-4c69-a4e8-0d1bff3b8779", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.a", - "uuid": "6903ed57-2cd9-4b5c-9d46-fba2052c9dc9", + "statement-id": "ia-5_smt.c", + "uuid": "72f40639-e7bf-4f21-aa6e-b8cf9dc3c263", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d6c8cd4d-afb2-4ca5-928c-d340fe5f6c08", - "description": "Add control implementation description here for statement ca-7_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f1cb3781-ddae-4424-b854-5db80e67f5aa", + "description": "Add control implementation description here for item ia-5_smt.c" } ] - } - ] - }, - { - "uuid": "46e9b28c-aad5-478c-958c-7b977656088f", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.b", - "uuid": "a47dc8e7-0e41-4e84-bb0f-0ed927bbcc7e", + "statement-id": "ia-5_smt.d", + "uuid": "c5ab0377-e3c6-49f0-9fff-3f14d2623212", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "25968dc9-52fd-4397-9682-ec7c32126eff", - "description": "Add control implementation description here for statement ca-7_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "de792aa8-5048-4f6c-88b0-8a5a559794a1", + "description": "Add control implementation description here for item ia-5_smt.d" } ] - } - ] - }, - { - "uuid": "ddb094e9-cfe8-479f-9934-bb5d208745d5", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.c", - "uuid": "c51e67b3-ae79-413e-b0c0-e3c86a8128bb", + "statement-id": "ia-5_smt.e", + "uuid": "7a1f7c19-531b-44a2-83fa-07cef35dd01a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "597bafa0-568e-4a59-a5f8-31799b7af3f4", - "description": "Add control implementation description here for statement ca-7_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b4cd4e29-7871-42df-bd1c-cdb00c6f57e8", + "description": "Add control implementation description here for item ia-5_smt.e" } ] - } - ] - }, - { - "uuid": "02578392-9678-45a3-a6c5-df02f675ad91", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.d", - "uuid": "a5e79f97-81a3-465c-aac0-7a0624efae6a", + "statement-id": "ia-5_smt.f", + "uuid": "3ffb56ae-14e3-4fb6-8dac-b582b03afef0", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7c0563c5-8997-4dcb-9f80-2d7fe491f4fd", - "description": "Add control implementation description here for statement ca-7_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "718eab31-ba32-4073-95d1-18c583146e50", + "description": "Add control implementation description here for item ia-5_smt.f" } ] - } - ] - }, - { - "uuid": "0bfe9949-7496-4595-a904-8f3075b396cb", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.e", - "uuid": "ff2014d9-a425-4806-bfa6-62f761c405f1", + "statement-id": "ia-5_smt.g", + "uuid": "0195a85a-f788-4171-8f6c-8e64e664b374", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "63de0a87-e575-4506-b6ee-cc6a9c5a058a", - "description": "Add control implementation description here for statement ca-7_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5315e4f0-31bb-47bc-95b8-86aac32e0f85", + "description": "Add control implementation description here for item ia-5_smt.g" } ] - } - ] - }, - { - "uuid": "b76f5bee-0c4f-4b0f-a2a3-6fbd9ef726d7", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.f", - "uuid": "3509ef0e-cbfd-4163-b2da-2f9b8ab61eaf", + "statement-id": "ia-5_smt.h", + "uuid": "5a932bdb-a92c-4f31-aba8-b36a55dd9c50", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "be19afa2-2610-4067-a761-473b0e15812c", - "description": "Add control implementation description here for statement ca-7_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "74096185-a7ee-4e8a-a3d8-2c9657000786", + "description": "Add control implementation description here for item ia-5_smt.h" } ] - } - ] - }, - { - "uuid": "27996d75-ceae-4ed1-8d31-8b17b4a32da1", - "control-id": "ca-7", - "statements": [ + }, { - "statement-id": "ca-7_smt.g", - "uuid": "ca3ab309-eb0f-4692-9202-2aecda53a3b6", + "statement-id": "ia-5_smt.i", + "uuid": "8e892f51-a405-4217-88ca-d3e16c1de13f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "112930e0-df0f-4457-9afa-630d53ac06cf", - "description": "Add control implementation description here for statement ca-7_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "efee2133-84ac-46b5-974b-b3044898ff82", + "description": "Add control implementation description here for item ia-5_smt.i" } ] } ] }, { - "uuid": "4ab1a377-1926-4c96-912b-bb3320f16972", + "uuid": "f8ece737-c622-41e3-b21b-186d9267ab98", "control-id": "ia-5.1", "statements": [ { "statement-id": "ia-5.1_smt.a", - "uuid": "ce770981-5c14-4038-9d82-8bf95350140b", + "uuid": "ff327d3c-a623-4c7d-ad3a-b69077be844b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "63409fd3-891c-4547-9810-60145ef92d32", - "description": "Add control implementation description here for statement ia-5.1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "10ffa256-8a40-48f3-bf9e-9103280ff040", + "description": "Add control implementation description here for item ia-5.1_smt.a" } ] - } - ] - }, - { - "uuid": "92440fbe-9cac-4a82-b242-00deed573e0d", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.b", - "uuid": "5162a11f-e38a-433e-a0d1-fc5c23a00529", + "uuid": "e423ea26-f23f-4e34-9987-ce08c52dc7cb", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "869797ff-4d1a-423b-a4f6-0ac60d2f104e", - "description": "Add control implementation description here for statement ia-5.1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c212aa41-3254-4b6e-842f-0e969a6ca99d", + "description": "Add control implementation description here for item ia-5.1_smt.b" } ] - } - ] - }, - { - "uuid": "0d7ef4fc-65cb-4480-aec3-f26829531335", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.c", - "uuid": "d90bcd77-93a3-4d4c-8eb9-fd200c42fc30", + "uuid": "bc2ad926-d458-4ff5-a6b1-f93ec6e01795", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4fb5ff61-35a2-4752-af6b-081e2fe53092", - "description": "Add control implementation description here for statement ia-5.1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f287fb22-9a8d-4015-817f-6457f0b0f71e", + "description": "Add control implementation description here for item ia-5.1_smt.c" } ] - } - ] - }, - { - "uuid": "da9d818b-fde1-4691-947c-cbc2dd9d5346", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.d", - "uuid": "91ff0171-6e6d-45e9-9047-9a6fe777fb4a", + "uuid": "78c0cf89-ff9f-42b0-b6f1-e7f41cb601a3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "42119030-143d-4880-aca3-93a2dc54a17c", - "description": "Add control implementation description here for statement ia-5.1_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1d41c4e4-e51c-4344-8d73-6d95895360e1", + "description": "Add control implementation description here for item ia-5.1_smt.d" } ] - } - ] - }, - { - "uuid": "b9d48279-cd53-4e39-90a7-2109b31190d8", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.e", - "uuid": "789cd386-6c58-4d86-8f28-5318748269d5", + "uuid": "787f4055-ed14-4525-965e-2c8f8b1c2e2c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2332f8e3-0d0e-4f88-9711-0eed10d28efa", - "description": "Add control implementation description here for statement ia-5.1_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7f47a874-f950-4b64-be32-03a03527de01", + "description": "Add control implementation description here for item ia-5.1_smt.e" } ] - } - ] - }, - { - "uuid": "8dfb6766-923c-4ade-9ca1-add66ad558da", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.f", - "uuid": "3cafca35-aea4-4a13-9e08-2344b09c2d5f", + "uuid": "bb185529-57f4-45a7-be60-0b2d0ee6cbc5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b5d23cd8-37cb-49db-889b-9c44c1b5be97", - "description": "Add control implementation description here for statement ia-5.1_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "597ba514-829e-492c-8b81-0362aa457094", + "description": "Add control implementation description here for item ia-5.1_smt.f" } ] - } - ] - }, - { - "uuid": "2b3bf075-33dc-4252-ad12-27453e0b5ac1", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.g", - "uuid": "e6ffb2dd-bbc3-40c8-b700-c9acde27d8ce", + "uuid": "a761c690-3698-4a0b-a654-5cd06020905d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b68fa6e1-57ba-430e-a2fd-937f6473b1c9", - "description": "Add control implementation description here for statement ia-5.1_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "218188ea-e358-4872-9f5f-89d3089159b0", + "description": "Add control implementation description here for item ia-5.1_smt.g" } ] - } - ] - }, - { - "uuid": "e886f67e-6ca3-4737-bf8a-914ff0051d9c", - "control-id": "ia-5.1", - "statements": [ + }, { "statement-id": "ia-5.1_smt.h", - "uuid": "8869a1f9-fb1f-4f33-aeaf-cdc2eedf9e11", + "uuid": "9163c6af-ad66-460e-8142-451098257738", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "75e1e2d6-bd33-4748-b662-0c0e1f82c530", - "description": "Add control implementation description here for statement ia-5.1_smt.h" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f7956e22-b7b8-4791-ae09-307bd6360bad", + "description": "Add control implementation description here for item ia-5.1_smt.h" } ] } ] }, { - "uuid": "fd716d05-4db6-49bc-a4d2-879a836605fd", - "control-id": "ia-4", + "uuid": "93939378-7fc9-41c1-9cfe-695fac7ae9f0", + "control-id": "ia-6", "statements": [ { - "statement-id": "ia-4_smt.a", - "uuid": "af3e9850-36cd-4c49-a60b-52f4dfbe8987", + "statement-id": "ia-6_smt", + "uuid": "4ee33ed0-79a0-474a-aded-2cfa8515b731", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "952ea89b-96cf-4abe-99fb-edbce4edfbb0", - "description": "Add control implementation description here for statement ia-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "06febf2d-048d-4d1b-8cd7-1ec69579707c", + "description": "Add control implementation description here for control ia-6" } ] } ] }, { - "uuid": "f8444864-840d-429c-8b0d-15fda9f7f4ec", - "control-id": "ia-4", + "uuid": "4c775db3-3143-458e-9600-974595d833fb", + "control-id": "ia-7", "statements": [ { - "statement-id": "ia-4_smt.b", - "uuid": "92423d8b-ec62-4906-a7b6-e96872295a80", + "statement-id": "ia-7_smt", + "uuid": "474320fb-40cf-4b5e-ab06-1a9f91529fb7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "cd32e5d6-4e03-45ab-8a1a-9a78d38c1552", - "description": "Add control implementation description here for statement ia-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "874e28f8-c2ba-4b43-a0db-2b5c119e238c", + "description": "Add control implementation description here for control ia-7" } ] } ] }, { - "uuid": "6fccae74-d558-4450-8ce5-2c2641daf3b9", - "control-id": "ia-4", + "uuid": "46cdeade-3b86-4f49-9f33-b1c51e74419f", + "control-id": "ia-8", "statements": [ { - "statement-id": "ia-4_smt.c", - "uuid": "903687fe-2f16-4f88-8151-f2c6798996df", + "statement-id": "ia-8_smt", + "uuid": "ec6a8bca-5ae3-48dc-9349-fcb81dbe7fbc", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8ae93b8e-3a16-43ad-9252-0567c0f3744e", - "description": "Add control implementation description here for statement ia-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a5deb36f-d162-4b32-997f-db82d3ce04c1", + "description": "Add control implementation description here for control ia-8" } ] } ] }, { - "uuid": "287c3933-0fbb-4483-aa25-f23f685b04ca", - "control-id": "ia-4", + "uuid": "af30a978-5ac1-4c7d-91fb-7780759bdd0f", + "control-id": "ia-8.1", "statements": [ { - "statement-id": "ia-4_smt.d", - "uuid": "b3c42b61-16e8-44e3-8f18-6d6341f17953", + "statement-id": "ia-8.1_smt", + "uuid": "bf3b8690-8e78-452c-9b42-fe6dd06e9819", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0ff9e81d-b2a4-45fc-838f-cb2438f563f9", - "description": "Add control implementation description here for statement ia-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "285e18f5-7ca6-4581-97b8-2d9f6fd8a53b", + "description": "Add control implementation description here for control ia-8.1" } ] } ] }, { - "uuid": "37e1bedb-79d3-40ce-b1de-f3c977f76930", + "uuid": "ac0e445f-b71c-4d06-945f-cd7aa273c5d5", "control-id": "ia-8.2", "statements": [ { "statement-id": "ia-8.2_smt.a", - "uuid": "c6ce4c5c-fb2b-4433-8e76-b21591e2e3f3", + "uuid": "a81603e7-5cf1-4be3-942b-c28c6d0783c1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "62cc3755-242f-4239-9330-5785d34dd310", - "description": "Add control implementation description here for statement ia-8.2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6abb929c-fd08-435c-8b4b-4d80f244e49d", + "description": "Add control implementation description here for item ia-8.2_smt.a" } ] - } - ] - }, - { - "uuid": "ffb701e3-bb97-478b-899b-1fa8f73d42a2", - "control-id": "ia-8.2", - "statements": [ + }, { "statement-id": "ia-8.2_smt.b", - "uuid": "80c39504-407d-4c9d-9656-edc8eaa8d4d2", + "uuid": "b5dfcdc9-c4ce-4d6c-a144-c3d8d3c4556d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1ddf6797-b769-46e7-8265-317c97ad6b9a", - "description": "Add control implementation description here for statement ia-8.2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "24af7ef3-fdd9-4afb-bb0d-16723f386d23", + "description": "Add control implementation description here for item ia-8.2_smt.b" } ] } ] }, { - "uuid": "b89b21dc-f1bb-4041-8a12-ea5b57ad52cb", - "control-id": "ia-1", + "uuid": "b1632e10-d176-4e0b-a788-184e6eb993b4", + "control-id": "ia-8.4", "statements": [ { - "statement-id": "ia-1_smt.a", - "uuid": "dc226d2f-53cb-4d07-a7a9-93e4e5aa5001", + "statement-id": "ia-8.4_smt", + "uuid": "c355587e-779a-43ad-bedc-296b84ee12a0", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e57fcf2b-2dfa-4d8a-b37b-2906b6aa91ea", - "description": "Add control implementation description here for statement ia-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "03cb1910-6bb6-47e7-a1e0-67d4ecb14e15", + "description": "Add control implementation description here for control ia-8.4" } ] } ] }, { - "uuid": "57106ac4-df89-468a-9cd9-8a557c1670e0", - "control-id": "ia-1", + "uuid": "53e8f366-073c-447e-b6ba-5f19583394f0", + "control-id": "ia-11", "statements": [ { - "statement-id": "ia-1_smt.b", - "uuid": "81346b2f-2ef6-4680-a138-22aa3b07ceb8", + "statement-id": "ia-11_smt", + "uuid": "754d9a36-2249-4eb2-86d9-9844b9e955b3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d292c27e-a3d9-492b-89f1-8ae0ae39e858", - "description": "Add control implementation description here for statement ia-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0be90447-c961-4883-92b5-568383916dc7", + "description": "Add control implementation description here for control ia-11" } ] } ] }, { - "uuid": "d2073d51-5eb1-4a38-abaf-66f8cc498957", - "control-id": "ia-1", + "uuid": "823b7dc3-5607-49e4-9dd8-b4c7442325cc", + "control-id": "ir-1", "statements": [ { - "statement-id": "ia-1_smt.c", - "uuid": "bf1a561f-83ed-4f13-bb09-00db1b501eb0", + "statement-id": "ir-1_smt.a", + "uuid": "9c637f8b-b6a6-4c60-99b7-e8c7e693cf07", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4e382c74-e577-462d-83f9-fb12643eb8db", - "description": "Add control implementation description here for statement ia-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c4e1c75e-e42a-4a12-adaa-fe33d18defcf", + "description": "Add control implementation description here for item ir-1_smt.a" } ] - } - ] - }, - { - "uuid": "f8f67f4a-d0c9-464f-b963-43c322fadec7", - "control-id": "ia-5", - "statements": [ + }, { - "statement-id": "ia-5_smt.a", - "uuid": "1d6f3904-c738-4069-9b50-c77c32a0ed43", + "statement-id": "ir-1_smt.b", + "uuid": "43c6f20e-e77a-4bb2-9375-65d9901b7c78", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f8924f02-bc70-4c54-b731-24aa4367b4ce", - "description": "Add control implementation description here for statement ia-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e6500116-8c2f-4f7c-9824-2bd1e0a68fb5", + "description": "Add control implementation description here for item ir-1_smt.b" } ] - } - ] - }, - { - "uuid": "192f977d-4b26-4ac5-9aa5-b8f441498c80", - "control-id": "ia-5", - "statements": [ + }, { - "statement-id": "ia-5_smt.b", - "uuid": "9458647a-f9d5-46e4-be7f-419487e0a7b1", + "statement-id": "ir-1_smt.c", + "uuid": "98eb9f80-f915-4c9b-9fb1-2f7c5ee89ebf", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2c503a4b-2fc4-4dd4-8991-546619c2e6fa", - "description": "Add control implementation description here for statement ia-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8cbb5dd8-c111-48c6-b351-ffff834a383c", + "description": "Add control implementation description here for item ir-1_smt.c" } ] } ] }, { - "uuid": "012092b1-7c44-4f02-a603-0573bab5437d", - "control-id": "ia-5", + "uuid": "e6e8538d-f204-4e9c-83dc-dd76bd71eced", + "control-id": "ir-2", "statements": [ { - "statement-id": "ia-5_smt.c", - "uuid": "9bbe6770-807b-4687-8dbe-f42fe1d682ad", + "statement-id": "ir-2_smt.a", + "uuid": "8c4f9ded-c66d-4d21-8c89-d27f0ef1d93a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f7f405ea-3409-48e3-ba39-947a2a6c7b8f", - "description": "Add control implementation description here for statement ia-5_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ecc3a857-13a1-4848-8cb2-4bfb1066993c", + "description": "Add control implementation description here for item ir-2_smt.a" } ] - } - ] - }, - { - "uuid": "69464902-16b0-4c35-838a-e8850c451b8d", - "control-id": "ia-5", - "statements": [ + }, { - "statement-id": "ia-5_smt.d", - "uuid": "76ebc893-b07e-4dd1-aa57-3a24a2446c66", + "statement-id": "ir-2_smt.b", + "uuid": "99fc773a-df22-4d7e-8471-c103ed192348", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3053b944-2944-446a-bd50-f537001dd124", - "description": "Add control implementation description here for statement ia-5_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4571e028-d16a-45cd-b85c-f4782d617af4", + "description": "Add control implementation description here for item ir-2_smt.b" } ] } ] }, { - "uuid": "bd24ddb0-93b4-4be0-a28a-ca6a0ad5ef5b", - "control-id": "ia-5", + "uuid": "3ba9ded4-ef1a-4b01-bc29-eeba58755813", + "control-id": "ir-4", "statements": [ { - "statement-id": "ia-5_smt.e", - "uuid": "e2fd2a08-9ed8-4dd8-9785-f04054bf3ef7", + "statement-id": "ir-4_smt.a", + "uuid": "4fea2336-9e84-4129-a573-6d478f88889b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7d6735bb-eaa0-4dd9-8be2-dbfd63370980", - "description": "Add control implementation description here for statement ia-5_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ef0e8da1-565d-4f88-be68-17335c834809", + "description": "Add control implementation description here for item ir-4_smt.a" } ] - } - ] - }, - { - "uuid": "5bc93987-cd4b-4d57-8fb8-4cab3aefe401", - "control-id": "ia-5", - "statements": [ + }, { - "statement-id": "ia-5_smt.f", - "uuid": "99ec55da-b71d-4353-9997-dc8d03363b4d", + "statement-id": "ir-4_smt.b", + "uuid": "1952582d-0df2-4e46-a53a-57ed58ac816b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "716a6bbb-63a7-42e8-83ee-ed36061ec091", - "description": "Add control implementation description here for statement ia-5_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c9acbc85-23eb-4344-92fd-35291a8fc906", + "description": "Add control implementation description here for item ir-4_smt.b" } ] - } - ] - }, - { - "uuid": "f5cf00f2-20e5-4ce4-8ff9-d3249dc4c308", - "control-id": "ia-5", - "statements": [ + }, { - "statement-id": "ia-5_smt.g", - "uuid": "02aa4bb0-9a25-459e-ba37-09dba8632b1c", + "statement-id": "ir-4_smt.c", + "uuid": "bb4f6dce-f43f-48f0-8899-2cc9660decd6", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f40d3004-6fe7-4827-9c75-e93316941528", - "description": "Add control implementation description here for statement ia-5_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fe328a23-8f7d-4d19-a429-d08ae4eb2e99", + "description": "Add control implementation description here for item ir-4_smt.c" } ] - } - ] - }, - { - "uuid": "8f4f135d-6faf-4616-8f7b-c92bcccccf52", - "control-id": "ia-5", - "statements": [ + }, { - "statement-id": "ia-5_smt.h", - "uuid": "6b761279-d7f8-4500-ad28-1f404d919c52", + "statement-id": "ir-4_smt.d", + "uuid": "294e7683-7a87-4fa2-bf28-ed97a628c044", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a03d025f-9008-430b-af7e-9cf5ed2491c0", - "description": "Add control implementation description here for statement ia-5_smt.h" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6752fbc7-4ee6-4b1c-bcf9-ee5cf3bd121d", + "description": "Add control implementation description here for item ir-4_smt.d" } ] } ] }, { - "uuid": "e210fd10-354b-42d5-b235-a099a9e39bdd", - "control-id": "ia-5", + "uuid": "8771261f-5c4f-4eec-9d66-d6a0ac347e66", + "control-id": "ir-5", "statements": [ { - "statement-id": "ia-5_smt.i", - "uuid": "428f140e-adc5-4be0-a241-50ab01fc724b", + "statement-id": "ir-5_smt", + "uuid": "b14b4d0c-f515-43bb-9467-b7f580502acd", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d282f32d-000f-46f4-9f91-b300d41aa879", - "description": "Add control implementation description here for statement ia-5_smt.i" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "77943a25-37d7-45fd-b85a-49a63bbee3ad", + "description": "Add control implementation description here for control ir-5" } ] } ] }, { - "uuid": "4433231b-3cbd-465b-85c5-75f59d1b807b", - "control-id": "ra-2", + "uuid": "26bf53af-888d-479c-937a-6af05ad31b79", + "control-id": "ir-6", "statements": [ { - "statement-id": "ra-2_smt.a", - "uuid": "93fd3736-a54f-406c-b75a-414859d7ce8a", + "statement-id": "ir-6_smt.a", + "uuid": "9d680327-d57a-4339-bc0c-439f0caf50fa", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9bbce8aa-3996-4011-8600-d741043dff88", - "description": "Add control implementation description here for statement ra-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8d11c7fa-8dda-4a85-bce0-ea794abd1e2e", + "description": "Add control implementation description here for item ir-6_smt.a" } ] - } - ] - }, - { - "uuid": "9a41eb10-d5a8-41c9-90ee-931ace55cbd8", - "control-id": "ra-2", - "statements": [ + }, { - "statement-id": "ra-2_smt.b", - "uuid": "d18fd77a-33a3-41c0-8c33-a0ec4a86e9b1", + "statement-id": "ir-6_smt.b", + "uuid": "d056783f-30b1-4039-afe1-0fa8f3d35dad", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b6e92750-5d3c-48a2-9fa5-49360fbdb06b", - "description": "Add control implementation description here for statement ra-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8b7d220d-c3a4-4c4e-92da-877f2c2ecb05", + "description": "Add control implementation description here for item ir-6_smt.b" } ] } ] }, { - "uuid": "678f562d-eb90-410f-bf10-d3007c5a08e7", - "control-id": "ra-2", + "uuid": "83220c2f-0cb7-4bb7-8cee-1be42beba3f9", + "control-id": "ir-7", "statements": [ { - "statement-id": "ra-2_smt.c", - "uuid": "e8b57c6f-0725-4c49-b427-d9d998d110eb", + "statement-id": "ir-7_smt", + "uuid": "d14941bb-835c-464b-9a62-6413231cc855", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c112a989-9dab-4596-a1a4-32c531a72d22", - "description": "Add control implementation description here for statement ra-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "273a670d-53d8-44e3-8218-521826c85c3d", + "description": "Add control implementation description here for control ir-7" } ] } ] }, { - "uuid": "5964902b-bbdd-4c35-9733-d6710c7b1cca", - "control-id": "ra-3", + "uuid": "d3cec4c5-7ee5-4d26-8595-28b3acf28827", + "control-id": "ir-8", "statements": [ { - "statement-id": "ra-3_smt.a", - "uuid": "a4d2fac1-92b4-4b34-8c2a-961e5c96760a", + "statement-id": "ir-8_smt.a", + "uuid": "6b17d634-b9f7-44b8-a009-3e6a0bd87882", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f5f0c4f0-e8cf-4e43-8c05-0101a90da0da", - "description": "Add control implementation description here for statement ra-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dbbfc5ba-f0d6-4aa2-bcfc-4561343c8de0", + "description": "Add control implementation description here for item ir-8_smt.a" } ] - } - ] - }, - { - "uuid": "b4481626-27fa-46fb-8543-b4a668678d0a", - "control-id": "ra-3", - "statements": [ + }, { - "statement-id": "ra-3_smt.b", - "uuid": "f7273de5-deb7-4d77-b642-aa58cab96e6e", + "statement-id": "ir-8_smt.b", + "uuid": "7bffba9e-ac03-4360-b77b-e6cda059ae9b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "fca9b6ad-4075-4c5a-a47d-70fbf5a9b1fc", - "description": "Add control implementation description here for statement ra-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0420d8df-a116-4a79-9a3f-2deeb85e8ab6", + "description": "Add control implementation description here for item ir-8_smt.b" } ] - } - ] - }, - { - "uuid": "f6305808-4605-4d0d-a56b-3d835524dbda", - "control-id": "ra-3", - "statements": [ + }, { - "statement-id": "ra-3_smt.c", - "uuid": "1e4c200b-2a82-472d-80a5-c1b03022112b", + "statement-id": "ir-8_smt.c", + "uuid": "cb77d7af-3ea5-4ba4-a235-4cf9009f0a5d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "717064b6-416d-4742-a81e-d7f3e6701401", - "description": "Add control implementation description here for statement ra-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "22d6e827-ff14-4db4-8356-9a9910135370", + "description": "Add control implementation description here for item ir-8_smt.c" } ] - } - ] - }, - { - "uuid": "d350afaa-d0d1-4d73-b63d-eb7a13f49d1c", - "control-id": "ra-3", - "statements": [ + }, { - "statement-id": "ra-3_smt.d", - "uuid": "ba35e17e-3c55-49bb-a0f6-a1ed078181b3", + "statement-id": "ir-8_smt.d", + "uuid": "79fe4b8b-79b0-4f6e-87b6-f16c5f9af32d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2e418ec6-7686-4386-9b77-ce153ac8548d", - "description": "Add control implementation description here for statement ra-3_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ffc94724-0ce2-4bf0-8caa-218320a974ef", + "description": "Add control implementation description here for item ir-8_smt.d" } ] - } - ] - }, - { - "uuid": "cd88d118-15e4-448e-9a35-1668b5e3cc75", - "control-id": "ra-3", - "statements": [ + }, { - "statement-id": "ra-3_smt.e", - "uuid": "18c882cb-7b25-4c19-8a3a-5c07fcf3928a", + "statement-id": "ir-8_smt.e", + "uuid": "c3c20020-e3ef-4b9c-b74d-82e4932f47ba", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9d5399ad-008d-496e-ad5f-d65c1a0ae1b3", - "description": "Add control implementation description here for statement ra-3_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0715c4c0-f461-4768-97dd-04da288cc429", + "description": "Add control implementation description here for item ir-8_smt.e" } ] } ] }, { - "uuid": "6bcc0d89-0286-4f60-a8c3-0d28dbd68d86", - "control-id": "ra-3", + "uuid": "bd1c6189-e15d-41b5-a5c3-a13771bcd223", + "control-id": "ma-1", "statements": [ { - "statement-id": "ra-3_smt.f", - "uuid": "9849ac9c-89a0-42d5-8057-d29a99e9f2b5", + "statement-id": "ma-1_smt.a", + "uuid": "953ebd69-174b-46f7-b660-42f2f570564f", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c33646ac-0d48-4e1e-91b8-1a56a6567e87", + "description": "Add control implementation description here for item ma-1_smt.a" + } + ] + }, + { + "statement-id": "ma-1_smt.b", + "uuid": "ad96ca0d-4782-4554-af09-018d5f8b17c7", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0e3f9236-6644-429e-8960-3abffbe25b84", + "description": "Add control implementation description here for item ma-1_smt.b" + } + ] + }, + { + "statement-id": "ma-1_smt.c", + "uuid": "ac8ef617-49a8-47a6-b0ac-962de6ff6d56", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a40b1f6b-3603-4911-b038-bedfd94b8147", - "description": "Add control implementation description here for statement ra-3_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1cf29e48-72c2-4952-b458-6718a6705c2c", + "description": "Add control implementation description here for item ma-1_smt.c" } ] } ] }, { - "uuid": "64552f65-1cd6-4d99-be53-567116855fd0", - "control-id": "ra-3.1", + "uuid": "1e9ba260-356d-4714-b858-6b1e39a0ea39", + "control-id": "ma-2", "statements": [ { - "statement-id": "ra-3.1_smt.a", - "uuid": "43a1d205-1684-4847-8b63-bf8678df6cbd", + "statement-id": "ma-2_smt.a", + "uuid": "d677e3dd-9d21-4d69-8f9e-9df3f203597b", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a9e019f6-0962-4dbf-8912-547b4de85cf2", + "description": "Add control implementation description here for item ma-2_smt.a" + } + ] + }, + { + "statement-id": "ma-2_smt.b", + "uuid": "7ae1bf80-c80f-4fc7-9775-4d68b3128463", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "44aa623e-5c4d-4a29-b686-3f57a7fbd6e9", + "description": "Add control implementation description here for item ma-2_smt.b" + } + ] + }, + { + "statement-id": "ma-2_smt.c", + "uuid": "fe6ed9a6-5b39-4065-90e0-3eea28c708e3", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "58f1873b-6c6d-4261-b408-97572bb6cd2b", + "description": "Add control implementation description here for item ma-2_smt.c" + } + ] + }, + { + "statement-id": "ma-2_smt.d", + "uuid": "98778446-7b31-4b6e-940e-762cc22fe232", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d1246f36-b360-4745-a194-58a48e80f0b3", + "description": "Add control implementation description here for item ma-2_smt.d" + } + ] + }, + { + "statement-id": "ma-2_smt.e", + "uuid": "0fdfac57-c989-4007-9849-a8a90f8c7676", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "98bcb39a-a642-4ba6-9af0-f38fc4fffcd2", - "description": "Add control implementation description here for statement ra-3.1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b53ccfe4-e5ec-40ad-b8d3-42fa9c422399", + "description": "Add control implementation description here for item ma-2_smt.e" + } + ] + }, + { + "statement-id": "ma-2_smt.f", + "uuid": "e5636c54-4def-45e6-9bb1-e421a87911ea", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6f5c5241-cf58-45a4-8f02-ea956eec1f1b", + "description": "Add control implementation description here for item ma-2_smt.f" } ] } ] }, { - "uuid": "90125f1f-145a-4531-92fe-edcc965dfc20", - "control-id": "ra-3.1", + "uuid": "edbe27c3-6706-4f9c-a968-a8770f5a3b5b", + "control-id": "ma-4", "statements": [ { - "statement-id": "ra-3.1_smt.b", - "uuid": "711fd411-c1dd-44f1-869c-3912167116d0", + "statement-id": "ma-4_smt.a", + "uuid": "d17affbb-c871-4603-a238-4b7aaad8447b", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1bf1eaa8-afba-41a3-a7c5-9c97a63e2751", + "description": "Add control implementation description here for item ma-4_smt.a" + } + ] + }, + { + "statement-id": "ma-4_smt.b", + "uuid": "8a97ebf2-2a7c-46b0-8a13-90cb8e507019", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cfcb33f6-b054-4051-8fea-ebd4529d4785", + "description": "Add control implementation description here for item ma-4_smt.b" + } + ] + }, + { + "statement-id": "ma-4_smt.c", + "uuid": "d88425e8-e718-4220-b453-449f246d288a", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ea86873d-2ae5-4deb-995d-a9363d02f3c4", + "description": "Add control implementation description here for item ma-4_smt.c" + } + ] + }, + { + "statement-id": "ma-4_smt.d", + "uuid": "0b8132c5-d08c-4af5-b83e-1733fdb93382", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d9bf3bd5-ae5a-4cd8-9ecb-b61bc635180d", - "description": "Add control implementation description here for statement ra-3.1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "29395e9c-e0d2-45a4-aa92-cae69bfb2fff", + "description": "Add control implementation description here for item ma-4_smt.d" + } + ] + }, + { + "statement-id": "ma-4_smt.e", + "uuid": "2c9bfc7d-1aee-479f-95b6-774a8dfb847e", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "75ac40b5-542f-4496-995e-30ab9a5e8c94", + "description": "Add control implementation description here for item ma-4_smt.e" } ] } ] }, { - "uuid": "0556eb16-ff9b-48cd-85f7-d05d12cfe248", - "control-id": "ra-1", + "uuid": "47798d85-9016-41d8-9de0-f388e25d5820", + "control-id": "ma-5", "statements": [ { - "statement-id": "ra-1_smt.a", - "uuid": "37d9634d-5453-4155-aabb-f81cf06b34a4", + "statement-id": "ma-5_smt.a", + "uuid": "0b50950a-dffd-4180-872a-959324a5a94b", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "eecf010a-29e2-4e22-b33b-b12ec080f2af", + "description": "Add control implementation description here for item ma-5_smt.a" + } + ] + }, + { + "statement-id": "ma-5_smt.b", + "uuid": "693c5ee9-dd3f-4fce-8a44-7350d0fe1012", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "73e3f4e2-5eb8-4cb9-8690-2db2f4435564", + "description": "Add control implementation description here for item ma-5_smt.b" + } + ] + }, + { + "statement-id": "ma-5_smt.c", + "uuid": "1480ecb0-7091-443f-991d-16c8c0388a32", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7f8c30b4-618b-4628-ad7f-45f71da8f9bd", - "description": "Add control implementation description here for statement ra-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "aa1ab2b6-f043-46b7-b89d-82787f53af15", + "description": "Add control implementation description here for item ma-5_smt.c" } ] } ] }, { - "uuid": "a08c5ca6-e98c-4c88-93df-cc6601454d1d", - "control-id": "ra-1", + "uuid": "d0c2d26c-2016-45cb-b75d-c33976e93d38", + "control-id": "mp-1", "statements": [ { - "statement-id": "ra-1_smt.b", - "uuid": "c629fb12-c8a4-4b1b-8926-fa739429aa0c", + "statement-id": "mp-1_smt.a", + "uuid": "b962c64d-97f4-4390-a0c2-ae61cb76df01", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f5d68195-10be-4bb9-9c97-7611b285c62e", - "description": "Add control implementation description here for statement ra-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "403377bb-1e23-414c-90fc-78783af4b01c", + "description": "Add control implementation description here for item mp-1_smt.a" } ] - } - ] - }, - { - "uuid": "992c0eac-a8ff-41c5-aa38-7c2bd4441c10", - "control-id": "ra-1", - "statements": [ + }, { - "statement-id": "ra-1_smt.c", - "uuid": "8755511c-7d84-428f-b016-522983b5992a", + "statement-id": "mp-1_smt.b", + "uuid": "cd007371-e400-4da0-98ca-caeb7bc4ec1f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5d8ad163-d572-497a-87f0-9f3c7dbd6e08", - "description": "Add control implementation description here for statement ra-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4f3dff23-0754-4413-bab6-6aaa6f1f3477", + "description": "Add control implementation description here for item mp-1_smt.b" } ] - } - ] - }, - { - "uuid": "edbb5a19-5375-4f0c-8f47-c0fd17621400", - "control-id": "ra-5", - "statements": [ + }, { - "statement-id": "ra-5_smt.a", - "uuid": "591b8a16-2ce5-40f1-8b41-74a152eec29b", + "statement-id": "mp-1_smt.c", + "uuid": "5bc8732e-32fb-4319-8250-7e8faaa1c29c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "12bdabc4-49e4-47ad-829c-1fd05d7df094", - "description": "Add control implementation description here for statement ra-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c0ef169c-980b-43da-91a7-b96d2cf1c194", + "description": "Add control implementation description here for item mp-1_smt.c" } ] } ] }, { - "uuid": "32c1ed41-d9ae-4336-97fb-f03ac8039c94", - "control-id": "ra-5", + "uuid": "a3372d49-4397-4c4c-a45a-1d264106a5f8", + "control-id": "mp-2", "statements": [ { - "statement-id": "ra-5_smt.b", - "uuid": "0714fc0f-0620-45c6-81f4-16036f6fcfe6", + "statement-id": "mp-2_smt", + "uuid": "d5a55e60-182f-4e8d-a92d-fc18b24b0655", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3aa7eda1-a5e1-4bbf-b5cc-b69c2b3381f4", - "description": "Add control implementation description here for statement ra-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "31612822-5132-413a-8c75-68520c908fea", + "description": "Add control implementation description here for control mp-2" } ] } ] }, { - "uuid": "7a83c58e-e2f3-4b1e-97ae-2a4f2e4dc0be", - "control-id": "ra-5", + "uuid": "f40a204d-e69b-478b-ba3a-ada6734b2870", + "control-id": "mp-6", "statements": [ { - "statement-id": "ra-5_smt.c", - "uuid": "114aa046-2afe-410e-9986-7f4450097e70", + "statement-id": "mp-6_smt.a", + "uuid": "40240f00-ca65-4f15-98d8-10e045014ba8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "fb7e7ebc-2c4b-468f-82c7-967bd805d5e2", - "description": "Add control implementation description here for statement ra-5_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "67163f36-7db6-4ab6-b317-ff82837bc83e", + "description": "Add control implementation description here for item mp-6_smt.a" } ] - } - ] - }, - { - "uuid": "35a893b7-edd3-41ea-88ca-087b0a6f8b0b", - "control-id": "ra-5", - "statements": [ + }, { - "statement-id": "ra-5_smt.d", - "uuid": "a366d6d9-26ff-469a-9157-f78a2f9359e7", + "statement-id": "mp-6_smt.b", + "uuid": "89358f0b-dcaf-4808-b229-ae2ea75ce259", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f074c1ad-1a84-4e0e-a5df-a799cd51ed42", - "description": "Add control implementation description here for statement ra-5_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ff05eaeb-84d2-4aa5-bb74-8f2c685f3d2a", + "description": "Add control implementation description here for item mp-6_smt.b" } ] } ] }, { - "uuid": "52f8312f-2aed-49f3-8028-d2c9e30e1f0f", - "control-id": "ra-5", + "uuid": "682c8e07-efc0-4cf1-8745-0e2d39fc9d8a", + "control-id": "mp-7", "statements": [ { - "statement-id": "ra-5_smt.e", - "uuid": "46988937-10e6-4d3b-a25c-899c97a6a40f", + "statement-id": "mp-7_smt.a", + "uuid": "50fefb2c-e043-4962-8ad5-98f480078666", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d4d7b56b-c4ef-41e8-91e2-9209e9bee501", - "description": "Add control implementation description here for statement ra-5_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "57c7ab8b-e472-44a3-8205-a20d2778c580", + "description": "Add control implementation description here for item mp-7_smt.a" } ] - } - ] - }, - { - "uuid": "a8e3c728-a484-44d0-bef6-2d79c3da84bf", - "control-id": "ra-5", - "statements": [ + }, { - "statement-id": "ra-5_smt.f", - "uuid": "e393f34f-c0c1-4e23-a708-181021b8455e", + "statement-id": "mp-7_smt.b", + "uuid": "3033fdda-8afd-43eb-97fe-881a45c10730", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a2dcab58-7dce-4acc-bea3-1c66fbd7d107", - "description": "Add control implementation description here for statement ra-5_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f8f45e65-09a5-4e34-ab00-e81d775508ac", + "description": "Add control implementation description here for item mp-7_smt.b" } ] } ] }, { - "uuid": "8cd3c83a-aa2d-4474-b6a4-499fd78a09fe", - "control-id": "sa-9", + "uuid": "e84272c6-be03-4d18-95e6-8d1db8a65fca", + "control-id": "pe-1", "statements": [ { - "statement-id": "sa-9_smt.a", - "uuid": "fccaf388-41ca-491d-804a-d85039563877", + "statement-id": "pe-1_smt.a", + "uuid": "3ff059c1-4cad-4556-af38-2762ef2f726a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bb5f8021-cb5b-4831-8f48-956a282157bb", - "description": "Add control implementation description here for statement sa-9_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "af45f881-ede4-463f-8cc1-6b8813a36217", + "description": "Add control implementation description here for item pe-1_smt.a" } ] - } - ] - }, - { - "uuid": "88cc23cd-ab33-4fd3-bec9-401df02387fd", - "control-id": "sa-9", - "statements": [ + }, { - "statement-id": "sa-9_smt.b", - "uuid": "1c2dd254-b4c8-43b8-982c-340edb08f721", + "statement-id": "pe-1_smt.b", + "uuid": "57a89512-02ed-4179-8f6c-049fd7b17576", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6b22a179-f03b-45da-8347-51278c10b0e9", - "description": "Add control implementation description here for statement sa-9_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "78fc9790-3f69-4606-b62d-9b6497e63598", + "description": "Add control implementation description here for item pe-1_smt.b" } ] - } - ] - }, - { - "uuid": "f497bd32-db28-4601-9338-0249138b1f42", - "control-id": "sa-9", - "statements": [ + }, { - "statement-id": "sa-9_smt.c", - "uuid": "6d684b1a-12e1-43c0-a223-32e8d87b8657", + "statement-id": "pe-1_smt.c", + "uuid": "1e0f5c11-63c3-498e-92fb-8a71e5f62899", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "dbe0edc3-1b22-42f5-8cd6-0be3f0b64f77", - "description": "Add control implementation description here for statement sa-9_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b72a8c25-f32b-412d-b9c1-9419a253099f", + "description": "Add control implementation description here for item pe-1_smt.c" } ] } ] }, { - "uuid": "aab94f84-ab1e-46eb-bb36-75646462c6bd", - "control-id": "sa-2", + "uuid": "102ad31d-3b39-48a0-b746-20c3ce3d7cdb", + "control-id": "pe-2", "statements": [ { - "statement-id": "sa-2_smt.a", - "uuid": "45fd40a3-1e07-4afa-9e98-7b35df915980", + "statement-id": "pe-2_smt.a", + "uuid": "125e4d75-1539-4ce0-ae68-5ca322fb65fd", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "295f78a6-1309-46d5-9bb6-cc6bc958684d", - "description": "Add control implementation description here for statement sa-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4ee5fee9-5d31-4601-8128-d166980d04d3", + "description": "Add control implementation description here for item pe-2_smt.a" } ] - } - ] - }, - { - "uuid": "937f9354-8552-4d91-a6ae-b4fe33d726ae", - "control-id": "sa-2", - "statements": [ + }, { - "statement-id": "sa-2_smt.b", - "uuid": "14de740b-aa3d-4d62-a0e2-0be1a9d9f885", + "statement-id": "pe-2_smt.b", + "uuid": "b032571f-ae39-4144-8dd9-f65ec75aff86", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2f59d817-4489-491c-9ee6-20a68b03262b", - "description": "Add control implementation description here for statement sa-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "400d8bd2-e3fd-4c70-8f60-7fd8dafd9cc3", + "description": "Add control implementation description here for item pe-2_smt.b" } ] - } - ] - }, - { - "uuid": "a3ab9b7f-65ef-4ba3-8ed6-9f302496a5be", - "control-id": "sa-2", - "statements": [ + }, { - "statement-id": "sa-2_smt.c", - "uuid": "2eef425f-67f6-4e6d-a0df-80bed8753b5b", + "statement-id": "pe-2_smt.c", + "uuid": "8ddfbe83-e662-4c50-b511-b5b44aedf9e4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "30e3f1a8-51fd-4905-955d-3d2b97bef957", - "description": "Add control implementation description here for statement sa-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "814f8caa-ef4b-4375-b7d8-b0ed61194a8d", + "description": "Add control implementation description here for item pe-2_smt.c" } ] - } - ] - }, - { - "uuid": "7425e9c8-fc03-4cdc-9858-a240c94f0ea9", - "control-id": "sa-22", - "statements": [ + }, { - "statement-id": "sa-22_smt.a", - "uuid": "72d45838-5c19-4d6a-ac16-0ca69e2f216c", + "statement-id": "pe-2_smt.d", + "uuid": "25a7b683-3a76-4bb2-9c07-ce0563e01599", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5346e1e0-93ae-4fac-94aa-bc9c48125f5d", - "description": "Add control implementation description here for statement sa-22_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a7c68a05-7d20-43c3-b344-c54dfa88d93c", + "description": "Add control implementation description here for item pe-2_smt.d" } ] } ] }, { - "uuid": "43e8654d-f0d2-4387-af8d-ab49fa07416e", - "control-id": "sa-22", + "uuid": "fc228117-3df5-4d56-8865-eeb8f3c4d3d9", + "control-id": "pe-3", "statements": [ { - "statement-id": "sa-22_smt.b", - "uuid": "e0dfb8e3-1244-4af4-bd4f-bf1b45ce5c7e", + "statement-id": "pe-3_smt.a", + "uuid": "7764a7cf-d601-4518-8523-d39a3f6a8cda", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7d3706e3-06a3-436a-82df-13243d102ac3", - "description": "Add control implementation description here for statement sa-22_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6fad4074-74b7-473e-9305-569edb1598ff", + "description": "Add control implementation description here for item pe-3_smt.a" } ] - } - ] - }, - { - "uuid": "ec8d5d52-49c1-45c6-80c0-527310d8d561", - "control-id": "sa-3", - "statements": [ + }, { - "statement-id": "sa-3_smt.a", - "uuid": "7373c2d9-9e1a-4047-b1e0-458d475c7cfc", + "statement-id": "pe-3_smt.b", + "uuid": "59d6b808-af6d-41df-b1a0-a8269b7cf846", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d29d53a1-38dc-471c-b457-78f65d60bd70", - "description": "Add control implementation description here for statement sa-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "358e340f-2a83-49fe-bcbd-c3414541f344", + "description": "Add control implementation description here for item pe-3_smt.b" } ] - } - ] - }, - { - "uuid": "6fa65622-bdf3-4b0d-a8c3-89d17e822961", - "control-id": "sa-3", - "statements": [ + }, { - "statement-id": "sa-3_smt.b", - "uuid": "a0b3dbb7-2d9e-485a-9f6f-64f0a958c1f7", + "statement-id": "pe-3_smt.c", + "uuid": "15c126bc-fef1-4785-b2ba-27fd6c80e9fc", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "53f75cf2-f076-4377-819e-94b6f3c12072", - "description": "Add control implementation description here for statement sa-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "46df167b-41b8-4e5a-8e29-b7a0200026ae", + "description": "Add control implementation description here for item pe-3_smt.c" } ] - } - ] - }, - { - "uuid": "e221f16b-bd4f-4e0f-98f0-0c2cdca4220b", - "control-id": "sa-3", - "statements": [ + }, { - "statement-id": "sa-3_smt.c", - "uuid": "e8e2b88a-3a69-4c10-9741-7a3b46d4ed7e", + "statement-id": "pe-3_smt.d", + "uuid": "c186a76d-54ae-4885-8a96-9dd33dbee64c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "49cc057b-4ae0-4089-8799-b9ce7c23d61b", - "description": "Add control implementation description here for statement sa-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "19aa6698-ff93-4001-9d9b-8c1a956353c0", + "description": "Add control implementation description here for item pe-3_smt.d" } ] - } - ] - }, - { - "uuid": "0d9e6637-b3b4-4e4c-b974-8fd7ceb05df7", - "control-id": "sa-3", - "statements": [ + }, { - "statement-id": "sa-3_smt.d", - "uuid": "6b34312a-4d4c-474b-92ca-725b5df7976b", + "statement-id": "pe-3_smt.e", + "uuid": "91f658bb-51ea-4bbc-a54c-fde7e21fdc11", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a4496456-3bf6-4d5c-9c77-81312f13f232", - "description": "Add control implementation description here for statement sa-3_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a8043a07-732a-44a9-8b83-72577fc03536", + "description": "Add control implementation description here for item pe-3_smt.e" } ] - } - ] - }, - { - "uuid": "f7933db8-c410-4c2b-99d5-9318b8589fb3", - "control-id": "sa-4", - "statements": [ + }, { - "statement-id": "sa-4_smt.a", - "uuid": "d1e62526-0ebf-4e18-ba0d-b1263fd9de39", + "statement-id": "pe-3_smt.f", + "uuid": "1d0a0603-3616-4721-9536-daa17de253cd", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f2968c9b-dc4d-44c5-90ff-11f84c7e67c3", - "description": "Add control implementation description here for statement sa-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "959f5264-8237-499f-9535-6039a39fbc43", + "description": "Add control implementation description here for item pe-3_smt.f" } ] - } - ] - }, - { - "uuid": "87e1de22-4d63-4e53-bfe9-eb581651ff6c", - "control-id": "sa-4", - "statements": [ + }, { - "statement-id": "sa-4_smt.b", - "uuid": "67996d4f-a9b5-4121-8f43-690db2601fbb", + "statement-id": "pe-3_smt.g", + "uuid": "235e5eb3-8d99-447d-b278-143fed4ade26", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "18ade505-46e0-4b0d-9aab-1953f8e2982b", - "description": "Add control implementation description here for statement sa-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "29f6bb94-076e-4a16-91d0-dc13c85d9418", + "description": "Add control implementation description here for item pe-3_smt.g" } ] } ] }, { - "uuid": "3bbb73d3-9b06-4013-bfcf-b64fa75786ae", - "control-id": "sa-4", + "uuid": "f02f15d3-b9d7-4700-bc40-cf2d24da2e85", + "control-id": "pe-6", "statements": [ { - "statement-id": "sa-4_smt.c", - "uuid": "e0ba154f-7243-44fd-84b0-8a940f02f22b", + "statement-id": "pe-6_smt.a", + "uuid": "03c40a3b-3def-4ff7-a6e4-592ac18cd3ad", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "69e6473e-29fb-4129-a1e2-565c3f823f26", - "description": "Add control implementation description here for statement sa-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "524e9ce5-f2bf-4eee-90cf-4b079c9e7357", + "description": "Add control implementation description here for item pe-6_smt.a" } ] - } - ] - }, - { - "uuid": "f4330904-6756-483b-91d0-1ba5eecc8d2f", - "control-id": "sa-4", - "statements": [ + }, { - "statement-id": "sa-4_smt.d", - "uuid": "85a9da6b-3338-4932-9988-0512b28cd8a4", + "statement-id": "pe-6_smt.b", + "uuid": "6b138c19-1824-48ac-9d04-3497544ada5a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4a4b968b-b55f-4dbb-9c1c-bbc7164824d2", - "description": "Add control implementation description here for statement sa-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "95024e89-428e-4429-b220-50981d1cfeb1", + "description": "Add control implementation description here for item pe-6_smt.b" } ] - } - ] - }, - { - "uuid": "41aab0ef-4d84-4637-90c4-826078b72aba", - "control-id": "sa-4", - "statements": [ + }, { - "statement-id": "sa-4_smt.e", - "uuid": "032e5a8a-f26d-49d8-83dd-1e28c18fec93", + "statement-id": "pe-6_smt.c", + "uuid": "d59c118b-9cf5-497f-8945-108f952c6b12", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ab97655e-8ab0-450c-b4dc-24a58f71bf7c", - "description": "Add control implementation description here for statement sa-4_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f7089a4f-4518-40f0-a000-be62da7136d6", + "description": "Add control implementation description here for item pe-6_smt.c" } ] } ] }, { - "uuid": "ccef79d6-9b2a-45d4-883d-d215dd6fbe44", - "control-id": "sa-4", + "uuid": "c709614f-7c8c-4d27-89f6-c619d6c8533a", + "control-id": "pe-8", "statements": [ { - "statement-id": "sa-4_smt.f", - "uuid": "d1cb3f46-6e51-4444-af2c-603881583771", + "statement-id": "pe-8_smt.a", + "uuid": "5f31185b-57fb-4947-b4c2-c2fbf0e7c21c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d4863fe0-8d89-41ba-a0c9-87a7475a28ed", - "description": "Add control implementation description here for statement sa-4_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "99c48d73-97cc-47bc-abe8-840a2d44d98a", + "description": "Add control implementation description here for item pe-8_smt.a" } ] - } - ] - }, - { - "uuid": "8d112792-3599-439a-a342-824f717f6d1a", - "control-id": "sa-4", - "statements": [ + }, { - "statement-id": "sa-4_smt.g", - "uuid": "00e3967d-2bc9-496f-949b-aa85109dcb3f", + "statement-id": "pe-8_smt.b", + "uuid": "ca4ca681-9cce-4e2d-b5a5-3f65359d1b74", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "28c2f135-1d09-4be8-bddc-64f614694d79", - "description": "Add control implementation description here for statement sa-4_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9bc32fad-4398-419a-afa4-4d2b66902cc7", + "description": "Add control implementation description here for item pe-8_smt.b" } ] - } - ] - }, - { - "uuid": "d44c505d-07fe-44dd-8eb4-175c0b463a23", - "control-id": "sa-4", - "statements": [ + }, { - "statement-id": "sa-4_smt.h", - "uuid": "ae56c9a8-d97c-4052-bcf3-2e8e1672a596", + "statement-id": "pe-8_smt.c", + "uuid": "ea39ac27-fafd-46ab-b281-297451346dfb", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "681878ae-186f-489c-8594-b65d8d181514", - "description": "Add control implementation description here for statement sa-4_smt.h" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1123983a-e422-4027-8ff8-ca67a6a8676f", + "description": "Add control implementation description here for item pe-8_smt.c" } ] } ] }, { - "uuid": "72488b21-2486-4a82-b49b-95326072f0c8", - "control-id": "sa-4", + "uuid": "e7b31f9b-fbb9-4166-b633-6695b98cb72a", + "control-id": "pe-12", "statements": [ { - "statement-id": "sa-4_smt.i", - "uuid": "789be2d0-0f67-453c-bba2-6758999ffea5", + "statement-id": "pe-12_smt", + "uuid": "1d601534-380e-4585-847f-3cf2e5a54d7a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b4d6aa32-5a2a-46fe-810c-da131295e531", - "description": "Add control implementation description here for statement sa-4_smt.i" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d424fabf-ac2d-4de2-8a45-eced2c016688", + "description": "Add control implementation description here for control pe-12" } ] } ] }, { - "uuid": "d59609d1-0477-49c4-ba48-67401d7b4f61", - "control-id": "sa-5", + "uuid": "339cc4f4-dafb-499d-a5ca-19ac63835fa0", + "control-id": "pe-13", "statements": [ { - "statement-id": "sa-5_smt.a", - "uuid": "d5ef7e75-f608-43fb-91c7-553876eeb008", + "statement-id": "pe-13_smt", + "uuid": "2236b2d9-9f3c-4206-ad47-4de0277e45a8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "63cf5c02-1333-4bc1-9f9f-75c287dc5061", - "description": "Add control implementation description here for statement sa-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "93521645-fccd-4142-8b14-1ad41e29c4b8", + "description": "Add control implementation description here for control pe-13" } ] } ] }, { - "uuid": "1acf19d4-0923-4820-8627-22107e5d0c4a", - "control-id": "sa-5", + "uuid": "5072599f-4a4b-438a-a3ae-5e95ff889ea1", + "control-id": "pe-14", "statements": [ { - "statement-id": "sa-5_smt.b", - "uuid": "efe53e81-f59b-4223-9416-9c01c80ab171", + "statement-id": "pe-14_smt.a", + "uuid": "7a4270ab-bca1-4584-9956-1ed6d088788f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "81119e2e-ff03-469c-a00e-8809b1a2db55", - "description": "Add control implementation description here for statement sa-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "697b0111-4838-4966-9fb9-a9d0a96f8f1e", + "description": "Add control implementation description here for item pe-14_smt.a" } ] - } - ] - }, - { - "uuid": "321c67bb-2711-462d-babd-65b63b9827da", - "control-id": "sa-5", - "statements": [ + }, { - "statement-id": "sa-5_smt.c", - "uuid": "4fa1c83d-c0d0-4d37-a03e-d0f6714dfc93", + "statement-id": "pe-14_smt.b", + "uuid": "c2ad0fef-a8fd-4c2c-9dc0-45d877fbe055", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1e312c06-03e7-4811-a90d-e8109af6e52c", - "description": "Add control implementation description here for statement sa-5_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7c1ea48c-6227-41f9-8bb3-0acd0f2875e7", + "description": "Add control implementation description here for item pe-14_smt.b" } ] } ] }, { - "uuid": "c6eeeef9-e5ff-4692-b935-cd05b8ab57b4", - "control-id": "sa-5", + "uuid": "afae845a-0b87-419d-ab83-c83fe40d7fa4", + "control-id": "pe-15", "statements": [ { - "statement-id": "sa-5_smt.d", - "uuid": "49dd2685-c9be-4b2d-9b63-e378af6d07cf", + "statement-id": "pe-15_smt", + "uuid": "28699095-3798-45eb-aa39-9a5f5ff53743", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1858642a-07ab-4ddb-890b-e9d14e12a5f3", - "description": "Add control implementation description here for statement sa-5_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "488d5b77-f0cf-4887-ac44-be94a9c231a7", + "description": "Add control implementation description here for control pe-15" } ] } ] }, { - "uuid": "3acd7b50-9db7-461c-ac6d-81972b6486da", - "control-id": "sa-1", + "uuid": "898879bf-fd6c-452d-a2c7-2db50331086b", + "control-id": "pe-16", "statements": [ { - "statement-id": "sa-1_smt.a", - "uuid": "69c4f991-3fc3-4ae7-9755-737319b617ba", + "statement-id": "pe-16_smt.a", + "uuid": "8d5c2804-9cf4-4207-86cd-a3a6ea211ec6", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4bf113b2-851c-4f4a-99e6-71a727844266", - "description": "Add control implementation description here for statement sa-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e5afae44-f390-43fc-a738-166107cbfc61", + "description": "Add control implementation description here for item pe-16_smt.a" } ] - } - ] - }, - { - "uuid": "392d41a4-4a7a-4874-a0f8-819e78331dd1", - "control-id": "sa-1", - "statements": [ + }, { - "statement-id": "sa-1_smt.b", - "uuid": "f972550e-bccf-4f8e-9866-a81f245a0999", + "statement-id": "pe-16_smt.b", + "uuid": "04165a54-9e03-413e-8a55-8121a0c4a0c8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5a1ea447-eb40-4d89-8527-0835315defc9", - "description": "Add control implementation description here for statement sa-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a0904149-7605-4574-9016-a92bc5198096", + "description": "Add control implementation description here for item pe-16_smt.b" } ] } ] }, { - "uuid": "ea7fa929-77c6-4896-89e5-e8505613d032", - "control-id": "sa-1", + "uuid": "b7218208-0d95-4a2b-90e4-9ad17f75c8b4", + "control-id": "pl-1", "statements": [ { - "statement-id": "sa-1_smt.c", - "uuid": "d185ef17-9121-4671-b081-5d877db2deba", + "statement-id": "pl-1_smt.a", + "uuid": "676d8843-0059-4f76-9973-bb88df4ba4a8", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0be439b2-3c43-4500-bbc8-51d701926419", + "description": "Add control implementation description here for item pl-1_smt.a" + } + ] + }, + { + "statement-id": "pl-1_smt.b", + "uuid": "c8235c75-c986-45a1-a27c-04b05a214076", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4217f169-2a08-431a-a548-e5ee70f27a30", + "description": "Add control implementation description here for item pl-1_smt.b" + } + ] + }, + { + "statement-id": "pl-1_smt.c", + "uuid": "07f68fdf-2395-4692-9d4c-6c26abc293bc", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "75bac8a3-509f-4a93-94e3-9a2049ff54b6", - "description": "Add control implementation description here for statement sa-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "67ea80fe-7968-4683-a4b0-d4b48c3fa7f6", + "description": "Add control implementation description here for item pl-1_smt.c" } ] } ] }, { - "uuid": "d52c6801-6c77-4f27-986b-9141890ac2d0", - "control-id": "ps-8", + "uuid": "5b3b5ce9-de47-4a1a-87de-d9e33a955922", + "control-id": "pl-2", "statements": [ { - "statement-id": "ps-8_smt.a", - "uuid": "5d0b0c75-ce63-4029-a8e7-2c9bf61af373", + "statement-id": "pl-2_smt.a", + "uuid": "0712164a-6b17-4441-920f-85e17b08c21f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ea16c18a-d94b-46b9-8a16-181133dccfd3", - "description": "Add control implementation description here for statement ps-8_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "95dbc604-4fd5-47d0-aaef-4fe9e1131a08", + "description": "Add control implementation description here for item pl-2_smt.a" } ] - } - ] - }, - { - "uuid": "4dc3a2f2-7f87-4d76-b83a-4bf93a3c9bdc", - "control-id": "ps-8", - "statements": [ + }, { - "statement-id": "ps-8_smt.b", - "uuid": "63e5699c-c6f7-412a-b9ea-a69b0aa68352", + "statement-id": "pl-2_smt.b", + "uuid": "18074902-793d-4c10-90c8-056ae6db2d0a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d53334d3-dfb3-425b-8501-83ed892ba4bb", - "description": "Add control implementation description here for statement ps-8_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "af33f2c5-5e0d-46b3-900e-edc7a5e5af98", + "description": "Add control implementation description here for item pl-2_smt.b" } ] - } - ] - }, - { - "uuid": "9731a239-66dc-4239-af98-5685c79b61d2", - "control-id": "ps-3", - "statements": [ + }, { - "statement-id": "ps-3_smt.a", - "uuid": "0a83b9f7-a1db-4113-9b76-f3ed24e85d9d", + "statement-id": "pl-2_smt.c", + "uuid": "1617d514-1da5-4e89-b625-fce9510aa26e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f658ebfb-6497-4b6c-8498-6b42b7ccf7c6", - "description": "Add control implementation description here for statement ps-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "39fce2ee-6345-403a-9117-848517bacfb1", + "description": "Add control implementation description here for item pl-2_smt.c" } ] - } - ] - }, - { - "uuid": "bfa8235c-a891-4a89-8ccd-6b589a16a157", - "control-id": "ps-3", - "statements": [ + }, { - "statement-id": "ps-3_smt.b", - "uuid": "8f9bdba3-7be9-4594-b81d-9d5b7483caf2", + "statement-id": "pl-2_smt.d", + "uuid": "008efc1d-1dbc-4f4e-b8ba-923ecf38890c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "fddd42f1-1644-4872-8b6d-bea8510d99d2", - "description": "Add control implementation description here for statement ps-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d0859dec-13b6-45ce-8194-0afb2bb84c60", + "description": "Add control implementation description here for item pl-2_smt.d" } ] - } - ] - }, - { - "uuid": "c6abcd5b-83b5-43e0-9c44-336af39246f6", - "control-id": "ps-7", - "statements": [ + }, { - "statement-id": "ps-7_smt.a", - "uuid": "366b65fd-7ba4-452b-bb81-b7391b217564", + "statement-id": "pl-2_smt.e", + "uuid": "8737b722-e442-4395-9bdf-9d89328dd336", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "35bb2b2c-e015-45d6-9ca3-e9a43ab83d87", - "description": "Add control implementation description here for statement ps-7_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "34b9966d-17fb-4a7a-9bc4-88ed75c06007", + "description": "Add control implementation description here for item pl-2_smt.e" } ] } ] }, { - "uuid": "5111ec50-734f-469a-8a6c-36fd1cab9c1c", - "control-id": "ps-7", + "uuid": "5c31d648-f0de-44ee-9c8e-f2e0d3f17d95", + "control-id": "pl-4", "statements": [ { - "statement-id": "ps-7_smt.b", - "uuid": "09343e60-5478-4dce-b5bd-d61e572e9092", + "statement-id": "pl-4_smt.a", + "uuid": "1d741163-2ecf-478e-bfd2-70c10660ee7b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2a3a6166-7922-4a27-88cc-b862e176ab57", - "description": "Add control implementation description here for statement ps-7_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e88d1d4d-972e-4056-b5b1-6151fec65dfb", + "description": "Add control implementation description here for item pl-4_smt.a" } ] - } - ] - }, - { - "uuid": "5024fcca-3527-4b11-8b95-f8f55e85e886", - "control-id": "ps-7", - "statements": [ + }, { - "statement-id": "ps-7_smt.c", - "uuid": "d61752b8-ece2-4be6-a9af-e4cf2d680df3", + "statement-id": "pl-4_smt.b", + "uuid": "bd756d6b-f211-4803-a77e-54118e61d554", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a5ff199a-2e17-4804-a3ed-6854a3b68274", - "description": "Add control implementation description here for statement ps-7_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "077323f3-fd84-442c-8b22-4ce8b0865820", + "description": "Add control implementation description here for item pl-4_smt.b" } ] - } - ] - }, - { - "uuid": "6aafaf88-1ed9-4496-96ba-fa49f47b4262", - "control-id": "ps-7", - "statements": [ + }, { - "statement-id": "ps-7_smt.d", - "uuid": "d46641dc-59d2-419a-9fa2-aeda0e861b43", + "statement-id": "pl-4_smt.c", + "uuid": "3b7d90a3-ee87-4981-9248-43dc484e2044", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "44e7f369-4fd3-4551-8af2-53e4f0642122", - "description": "Add control implementation description here for statement ps-7_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dcab4149-b99e-40d2-be90-3e6a18e101fd", + "description": "Add control implementation description here for item pl-4_smt.c" } ] - } - ] - }, - { - "uuid": "ddf43494-714c-4cff-9e3e-d421004d574f", - "control-id": "ps-7", - "statements": [ + }, { - "statement-id": "ps-7_smt.e", - "uuid": "1b16607a-cf4c-4c16-814d-a99b07627f14", + "statement-id": "pl-4_smt.d", + "uuid": "eafe11be-41ae-405b-b40c-67afb1f449d3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a18ca218-691a-4432-afc7-7ca79273e595", - "description": "Add control implementation description here for statement ps-7_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d0ff3c40-a4b5-43fa-bc1d-127e3edf96b6", + "description": "Add control implementation description here for item pl-4_smt.d" } ] } ] }, { - "uuid": "4206b5e5-c6d6-4473-8dbf-288c655938b8", - "control-id": "ps-6", + "uuid": "ba1b7f05-25b2-4941-bd0b-d8c5fd884e29", + "control-id": "pl-4.1", "statements": [ { - "statement-id": "ps-6_smt.a", - "uuid": "f8a77da5-835f-457e-a01e-d4a3a132fce1", + "statement-id": "pl-4.1_smt.a", + "uuid": "1a95424b-2836-4926-a186-26364eae68eb", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ca8ef968-d816-4e94-844a-063b945df8eb", - "description": "Add control implementation description here for statement ps-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dacefb28-9f08-4313-8d8a-47f568cf65c6", + "description": "Add control implementation description here for item pl-4.1_smt.a" } ] - } - ] - }, - { - "uuid": "737d63d0-3e69-4d35-bf8d-958e50b74161", - "control-id": "ps-6", - "statements": [ + }, { - "statement-id": "ps-6_smt.b", - "uuid": "d2599577-3942-4329-9e22-ca412baf8b41", + "statement-id": "pl-4.1_smt.b", + "uuid": "2cace79c-042c-4ffc-93e4-d72cf704b3b1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "403392d9-b333-4f0f-a816-e54ee66851ad", - "description": "Add control implementation description here for statement ps-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "83917360-9ed7-447a-9c27-8d67e4bd45aa", + "description": "Add control implementation description here for item pl-4.1_smt.b" } ] - } - ] - }, - { - "uuid": "53523773-e858-4368-8777-fe9f8030f99a", - "control-id": "ps-6", - "statements": [ + }, { - "statement-id": "ps-6_smt.c", - "uuid": "220fcaab-ee9d-49c5-be9c-0c1fe090fdf6", + "statement-id": "pl-4.1_smt.c", + "uuid": "fa2d5fd0-06b0-494a-9e0e-25f5cde85e2c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c858e024-0654-47d1-aa1d-9f17bc21d49b", - "description": "Add control implementation description here for statement ps-6_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a29ee874-c6b3-457f-9924-28bd7b724d33", + "description": "Add control implementation description here for item pl-4.1_smt.c" } ] } ] }, { - "uuid": "4fc3b5e9-fab4-4a2d-afd2-d87711215b0c", - "control-id": "ps-2", + "uuid": "d2a47f61-79d9-4383-bdec-0d1a4f346838", + "control-id": "pl-10", "statements": [ { - "statement-id": "ps-2_smt.a", - "uuid": "3acd9d5e-7a69-4872-9cc3-87876501992b", + "statement-id": "pl-10_smt", + "uuid": "c3be76b2-9d88-416a-9ba1-c9a5c8a8e10f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "66a6d5e9-c7b2-4548-90c5-b306dc47942b", - "description": "Add control implementation description here for statement ps-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c81aee8f-2609-4919-b53c-1aab12dc6c1e", + "description": "Add control implementation description here for control pl-10" } ] } ] }, { - "uuid": "6f5af6ce-429a-4c3e-95b1-99e6ba4f54f5", - "control-id": "ps-2", + "uuid": "64715dd8-9dcd-4db0-89db-4c01cbc73c80", + "control-id": "pl-11", "statements": [ { - "statement-id": "ps-2_smt.b", - "uuid": "525be6ba-7b04-48a6-9f2f-67928fa730ee", + "statement-id": "pl-11_smt", + "uuid": "f24a2226-28a1-4eab-9206-ce5e8940861e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1482d1e7-d129-4d8c-93d0-48be809892a9", - "description": "Add control implementation description here for statement ps-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fe94a65e-2f7b-41b8-a439-8c1f7d9a1b97", + "description": "Add control implementation description here for control pl-11" } ] } ] }, { - "uuid": "34daee81-513b-4e21-835c-6475a11b7508", - "control-id": "ps-2", + "uuid": "6f49c613-203a-4112-a538-ffd6af19ef24", + "control-id": "ps-1", "statements": [ { - "statement-id": "ps-2_smt.c", - "uuid": "ba65ab47-7dbd-4cb6-865f-3f0ae05303ed", + "statement-id": "ps-1_smt.a", + "uuid": "48799abf-c948-4e21-9d94-2ad555be082a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "135ce691-f12f-492e-a00b-61dd23acfe29", - "description": "Add control implementation description here for statement ps-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "799b84c6-4288-4238-9727-c09fa1005d1a", + "description": "Add control implementation description here for item ps-1_smt.a" } ] - } - ] - }, - { - "uuid": "5aa88f25-ae12-4896-8eb1-ce917cea29b3", - "control-id": "ps-5", - "statements": [ + }, { - "statement-id": "ps-5_smt.a", - "uuid": "47de1169-d386-48cc-96ec-b8265dd81db9", + "statement-id": "ps-1_smt.b", + "uuid": "570cb6e5-9b55-4329-9dcc-de66efdbfd06", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "d6cbd1ab-533b-4f1d-b7e7-3830ef6a9b88", - "description": "Add control implementation description here for statement ps-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "87b6f4c5-80f8-4234-9796-f885b88af083", + "description": "Add control implementation description here for item ps-1_smt.b" } ] - } - ] - }, - { - "uuid": "1a4f84c4-90ba-48f8-91f7-5673dd74728b", - "control-id": "ps-5", - "statements": [ + }, { - "statement-id": "ps-5_smt.b", - "uuid": "beff49b8-025c-41ad-a46e-831cf5f59ac8", + "statement-id": "ps-1_smt.c", + "uuid": "c3bd486b-3f33-4625-9cd3-ce8f45698d28", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "04123046-4d0b-4ee2-a232-6fbaa4c5250c", - "description": "Add control implementation description here for statement ps-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3aaa0dad-28cb-4fa2-b5f2-95b988382384", + "description": "Add control implementation description here for item ps-1_smt.c" } ] } ] }, { - "uuid": "7c14e195-72b1-414e-9500-a4a882ca3e5e", - "control-id": "ps-5", + "uuid": "aec40da8-1066-4a67-ab82-cfc554cb5d18", + "control-id": "ps-2", "statements": [ { - "statement-id": "ps-5_smt.c", - "uuid": "dc57b5cc-fec3-4d14-a921-32ee064e55e8", + "statement-id": "ps-2_smt.a", + "uuid": "f09693d7-deae-4f23-bbfe-7681dbe56fe2", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "52761c0e-20ec-4073-8dab-ae60c5fd1b24", - "description": "Add control implementation description here for statement ps-5_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0cc4e9c0-aa17-462a-b7f0-05bc71e10d93", + "description": "Add control implementation description here for item ps-2_smt.a" } ] - } - ] - }, - { - "uuid": "ee98f445-a5b5-4ead-9ed9-ad395f894b65", - "control-id": "ps-5", - "statements": [ + }, { - "statement-id": "ps-5_smt.d", - "uuid": "f5734920-fe01-42c5-b9bf-b96102c55e06", + "statement-id": "ps-2_smt.b", + "uuid": "51319c79-bc23-4a67-b371-4e3a24ffb63f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "316ec082-44ff-4d4c-a4d0-752b68118019", - "description": "Add control implementation description here for statement ps-5_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "35be4b06-5ba4-482b-b761-08dd5b5b5f5e", + "description": "Add control implementation description here for item ps-2_smt.b" } ] - } - ] - }, - { - "uuid": "121553a3-b8a9-48b7-8197-dbeda49a8b8a", - "control-id": "ps-1", - "statements": [ + }, { - "statement-id": "ps-1_smt.a", - "uuid": "3d8b1bd2-73e7-4f5f-a4e2-b717367b48ee", + "statement-id": "ps-2_smt.c", + "uuid": "f131e2c1-4c55-40a1-9c78-350158e70fd9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4a00a8a7-9143-460a-a9ae-3d5e6f1da83d", - "description": "Add control implementation description here for statement ps-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "42daa76c-bc10-435c-99b2-edc672b589cb", + "description": "Add control implementation description here for item ps-2_smt.c" } ] } ] }, { - "uuid": "a7e56ce9-2ced-46c5-b20a-9645a41aa5ce", - "control-id": "ps-1", + "uuid": "de182d4e-c59a-4395-83f9-1ae7ad6e7f47", + "control-id": "ps-3", "statements": [ { - "statement-id": "ps-1_smt.b", - "uuid": "6d51e981-73c5-4364-8d60-3a49fe6c0a32", + "statement-id": "ps-3_smt.a", + "uuid": "0d6a06fd-8360-4129-ad9e-6d4e4b8d5427", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b9586b5c-e2ad-4abc-9467-ab9b0fa23779", - "description": "Add control implementation description here for statement ps-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3bd901f7-08aa-42c8-9ed2-d545da11fe9c", + "description": "Add control implementation description here for item ps-3_smt.a" } ] - } - ] - }, - { - "uuid": "d11463ac-36db-4226-aa6c-b5ba71b05d25", - "control-id": "ps-1", - "statements": [ + }, { - "statement-id": "ps-1_smt.c", - "uuid": "affd4993-993d-4a03-bd6a-4d581cee0476", + "statement-id": "ps-3_smt.b", + "uuid": "d9d8be84-bcab-4680-bc0a-418de2c5ead7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6d2c8f26-909f-4a7c-9e76-7f6ad3f0a635", - "description": "Add control implementation description here for statement ps-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d4d71440-d86c-4e48-8606-1d8c7a62a9ad", + "description": "Add control implementation description here for item ps-3_smt.b" } ] } ] }, { - "uuid": "783ae5cd-a396-4aff-9dfb-9bfa2a57ed9d", + "uuid": "c864944b-725b-49ce-9572-0ef7b3892576", "control-id": "ps-4", "statements": [ { "statement-id": "ps-4_smt.a", - "uuid": "bd1bb84b-6dbc-4f27-87ab-bfab449973b2", + "uuid": "9d6f3da1-42a7-4ef8-9772-3c40be9abad8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9cf00fc9-ed2d-4264-852f-07727debb203", - "description": "Add control implementation description here for statement ps-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cdce570a-5a27-4d4b-a8f0-7d31a3f241ad", + "description": "Add control implementation description here for item ps-4_smt.a" } ] - } - ] - }, - { - "uuid": "3c3e8aee-0f24-4bd1-8ba7-dfe453b8bdeb", - "control-id": "ps-4", - "statements": [ + }, { "statement-id": "ps-4_smt.b", - "uuid": "e514cec4-212a-475e-b2bc-10f4e610b3b0", + "uuid": "1d9e15e7-7411-4607-b1f0-a908f9605f72", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bdf3a217-92b3-4408-bfbb-368f8051a676", - "description": "Add control implementation description here for statement ps-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8fe497c3-3d30-45c2-ac42-502b5e5bd66c", + "description": "Add control implementation description here for item ps-4_smt.b" } ] - } - ] - }, - { - "uuid": "903dd00c-feca-45a1-81e9-35ba41083968", - "control-id": "ps-4", - "statements": [ + }, { "statement-id": "ps-4_smt.c", - "uuid": "e60b7d2d-3260-4f1c-b9a2-676de96c1925", + "uuid": "3d6326af-d35b-41e2-a547-153e49a33d39", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "247e7aa1-fcf6-4a13-a802-02c2d9279465", - "description": "Add control implementation description here for statement ps-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fe815c00-8637-491b-8733-9abda8faa52d", + "description": "Add control implementation description here for item ps-4_smt.c" } ] - } - ] - }, - { - "uuid": "b5c18790-fe0d-4801-ae66-ae4fc59b5dfe", - "control-id": "ps-4", - "statements": [ + }, { "statement-id": "ps-4_smt.d", - "uuid": "924d3e2d-4e46-4a9c-9203-0240ff3629a0", + "uuid": "f1165a50-c36f-447b-a24c-686e0a2d1fe3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c44fc2d2-911b-48a7-9a09-4875cf1006bf", - "description": "Add control implementation description here for statement ps-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e69d2c4c-1fe3-44d7-b6d3-baf616dc56b0", + "description": "Add control implementation description here for item ps-4_smt.d" } ] - } - ] - }, - { - "uuid": "6371f03b-10b7-4038-8d7c-e139ec2ea1a5", - "control-id": "ps-4", - "statements": [ + }, { "statement-id": "ps-4_smt.e", - "uuid": "d9380faa-28e0-4d7c-9933-c9c922c41df6", + "uuid": "5c6a0708-1523-4885-a012-1145400dca03", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "89053ca4-ffbe-409a-90b4-b7a773540428", - "description": "Add control implementation description here for statement ps-4_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4d2946fc-c9fe-4c27-8a37-bc78d7f069b0", + "description": "Add control implementation description here for item ps-4_smt.e" } ] } ] }, { - "uuid": "5192b9c6-6f0a-4dca-9e20-6e1148980f2f", - "control-id": "sr-2", + "uuid": "3c08c956-b2f9-459d-9a4b-43daaae858f0", + "control-id": "ps-5", "statements": [ { - "statement-id": "sr-2_smt.a", - "uuid": "d5981afd-b834-4bd3-93d3-d95ecf4a29b6", + "statement-id": "ps-5_smt.a", + "uuid": "55416fad-aee6-4555-8bae-93b3c56103b9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7ff918ff-692d-4985-b935-d803b8e93b07", - "description": "Add control implementation description here for statement sr-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1c8252bf-ab3e-429b-93c5-bec9ee339daf", + "description": "Add control implementation description here for item ps-5_smt.a" } ] - } - ] - }, - { - "uuid": "9339d9c5-2344-41ab-a5e8-d3acc851bc5f", - "control-id": "sr-2", - "statements": [ + }, { - "statement-id": "sr-2_smt.b", - "uuid": "5ba9da45-4f60-461d-bb12-ce2b6110f1b4", + "statement-id": "ps-5_smt.b", + "uuid": "838c7831-f803-41c9-8996-edb4817faa94", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1a21e94b-aa38-4bdd-8906-2373fd0d0f5a", - "description": "Add control implementation description here for statement sr-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "02e342a4-c486-465f-ace9-e10c14b45398", + "description": "Add control implementation description here for item ps-5_smt.b" } ] - } - ] - }, - { - "uuid": "557c978b-f444-4c29-a51f-a52355c5ce41", - "control-id": "sr-2", - "statements": [ + }, { - "statement-id": "sr-2_smt.c", - "uuid": "19988d06-b0b7-432b-927a-a3287ad60839", + "statement-id": "ps-5_smt.c", + "uuid": "6496173c-c009-48c0-9c26-4ba37aa1c224", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "cedd5618-0e54-41a6-a8a2-54ac0030c422", - "description": "Add control implementation description here for statement sr-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "da946fba-c6a8-4812-8511-c2e8b585950d", + "description": "Add control implementation description here for item ps-5_smt.c" } ] - } - ] - }, - { - "uuid": "42aa75b5-567a-4d2b-aeff-62c6f2f8e762", - "control-id": "sr-3", - "statements": [ + }, { - "statement-id": "sr-3_smt.a", - "uuid": "31021637-0518-448f-a87e-f691337b72e1", + "statement-id": "ps-5_smt.d", + "uuid": "da98854e-4840-4634-b342-a81b112e3943", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "00ce1a00-4a7b-4d47-8797-f2888b42b7b0", - "description": "Add control implementation description here for statement sr-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "03912029-634b-4d27-87e6-bd8bae345784", + "description": "Add control implementation description here for item ps-5_smt.d" } ] } ] }, { - "uuid": "bdb27d07-e50b-4cc3-9394-6ad163a368ab", - "control-id": "sr-3", + "uuid": "6ec4e941-fdcd-4b29-96fb-e48c69d770f2", + "control-id": "ps-6", "statements": [ { - "statement-id": "sr-3_smt.b", - "uuid": "0ea06a70-eab3-4c46-bc6a-c6a01fae62f1", + "statement-id": "ps-6_smt.a", + "uuid": "9dda943e-f4fb-4b83-940e-ac541b3e391a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8f03cb19-62d2-4a65-b34c-9473808445cd", - "description": "Add control implementation description here for statement sr-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "907d4b4f-ecc8-4c2d-b693-73acd34d05d2", + "description": "Add control implementation description here for item ps-6_smt.a" } ] - } - ] - }, - { - "uuid": "628e73db-86f4-4b4a-b0aa-0b38df94966e", - "control-id": "sr-3", - "statements": [ + }, { - "statement-id": "sr-3_smt.c", - "uuid": "add01f9b-1e7f-4e92-b6f7-daf5e5308d5d", + "statement-id": "ps-6_smt.b", + "uuid": "39d4cd70-3704-4da0-82a7-4ee628438dc2", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b894e35a-424b-4a84-996f-c2fab2dfd3c3", - "description": "Add control implementation description here for statement sr-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "67a57dce-e755-49d0-8158-331014729218", + "description": "Add control implementation description here for item ps-6_smt.b" } ] - } - ] - }, - { - "uuid": "ad6a09ce-5614-4a46-abd9-a3e9fcf2308e", - "control-id": "sr-11", - "statements": [ + }, { - "statement-id": "sr-11_smt.a", - "uuid": "c2e6074f-144b-4434-91b7-440167975325", + "statement-id": "ps-6_smt.c", + "uuid": "208083eb-681a-4810-9a76-b5153f55de90", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b96bedd7-e4ee-4c74-8644-cfe536b3a06d", - "description": "Add control implementation description here for statement sr-11_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f8c187ff-685b-400b-9e96-3ca0bfae237a", + "description": "Add control implementation description here for item ps-6_smt.c" } ] } ] }, { - "uuid": "7fa83d4b-c2be-437b-a696-9601e0a095f0", - "control-id": "sr-11", + "uuid": "89730a9f-4511-4325-a6ac-afb43e4199f7", + "control-id": "ps-7", "statements": [ { - "statement-id": "sr-11_smt.b", - "uuid": "4f2ea806-23fc-48eb-917c-ec6e46379373", + "statement-id": "ps-7_smt.a", + "uuid": "9ff1203b-1590-4145-b07a-2630d01a8595", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8108a372-ff45-4ca9-ad0d-5a0bf919bc68", - "description": "Add control implementation description here for statement sr-11_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ed94d385-23ec-4201-9487-ce71cffb9cea", + "description": "Add control implementation description here for item ps-7_smt.a" } ] - } - ] - }, - { - "uuid": "feb6912d-4c1d-43f2-a953-45b97fb951f3", - "control-id": "sr-1", - "statements": [ + }, { - "statement-id": "sr-1_smt.a", - "uuid": "9d08fdfc-0290-4c53-be90-085d4086c39d", + "statement-id": "ps-7_smt.b", + "uuid": "86c3beba-ffa4-4cd9-88fe-e4f168e5c251", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8b60a1b7-b6e3-4cb1-84c5-97de91cc3db2", - "description": "Add control implementation description here for statement sr-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4d9b3a70-d27b-460e-9c23-51855af4f38a", + "description": "Add control implementation description here for item ps-7_smt.b" } ] - } - ] - }, - { - "uuid": "cb98c619-df85-4945-8301-7b92c63511bd", - "control-id": "sr-1", - "statements": [ + }, + { + "statement-id": "ps-7_smt.c", + "uuid": "965e2703-6082-4eb7-b172-b899673a2d0d", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6b995440-40a8-4afb-b1b9-b4899ad308fb", + "description": "Add control implementation description here for item ps-7_smt.c" + } + ] + }, { - "statement-id": "sr-1_smt.b", - "uuid": "2ec3aa21-343d-49ec-abd3-2a588f33b476", + "statement-id": "ps-7_smt.d", + "uuid": "54f4d00e-1827-4a83-b636-4ba5130e82f1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "aabf2794-7e39-45e9-9f58-d8ec422156e5", - "description": "Add control implementation description here for statement sr-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "391ddeed-efcf-4454-96f1-cca928b2583a", + "description": "Add control implementation description here for item ps-7_smt.d" } ] - } - ] - }, - { - "uuid": "74a74e12-8de3-4b35-8e89-1be50273f267", - "control-id": "sr-1", - "statements": [ + }, { - "statement-id": "sr-1_smt.c", - "uuid": "7e93d341-0344-4ac4-a0b6-9577d2112fb1", + "statement-id": "ps-7_smt.e", + "uuid": "f6f0f754-9730-4138-9bfc-8325349fbde1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "cb77c956-1d1e-4e03-92f7-5349197d7e8a", - "description": "Add control implementation description here for statement sr-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bb617752-b095-4420-81ad-aed62945b0c9", + "description": "Add control implementation description here for item ps-7_smt.e" } ] } ] }, { - "uuid": "bef50188-f2f8-46f5-9942-6e34ee6fa77f", - "control-id": "si-4", + "uuid": "0b425cd6-0a3c-4bc6-8ac8-7aeb649f45b1", + "control-id": "ps-8", "statements": [ { - "statement-id": "si-4_smt.a", - "uuid": "3e9abc37-57e4-4462-9435-ed7face9ce0e", + "statement-id": "ps-8_smt.a", + "uuid": "6852a104-3981-41af-9cf0-79641bca8354", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "54b8966c-4586-4c38-8bfe-ec0cdb1f291b", - "description": "Add control implementation description here for statement si-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b58d9c01-8a55-4100-9fab-edf51bef85ba", + "description": "Add control implementation description here for item ps-8_smt.a" } ] - } - ] - }, - { - "uuid": "e5b18a1c-0f66-4630-9e96-c1fa492cb228", - "control-id": "si-4", - "statements": [ + }, { - "statement-id": "si-4_smt.b", - "uuid": "1ebda284-6389-41ea-adb8-51deb077e233", + "statement-id": "ps-8_smt.b", + "uuid": "2635fab8-c873-46c0-9bc2-14c6bd26a56d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "121224af-e4c6-4c91-a1eb-cf8ee30c2847", - "description": "Add control implementation description here for statement si-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fd2e1fb6-850f-4d8b-8bc8-f91c2938b9dd", + "description": "Add control implementation description here for item ps-8_smt.b" } ] } ] }, { - "uuid": "7ed48504-f618-460b-b1cc-26442a238b81", - "control-id": "si-4", + "uuid": "dcbaff20-59ca-4c18-b810-cc39456b0365", + "control-id": "ps-9", "statements": [ { - "statement-id": "si-4_smt.c", - "uuid": "b190bcc3-09bc-406b-9e35-236f8f7cf033", + "statement-id": "ps-9_smt", + "uuid": "86c55f5b-65f7-4d46-96ee-79d26f6cfdc6", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "558d0c48-5e74-4a3f-9087-94cd859dd18c", - "description": "Add control implementation description here for statement si-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5cd8c60f-cb8d-4d52-9006-59eec1a133b8", + "description": "Add control implementation description here for control ps-9" } ] } ] }, { - "uuid": "06c580cb-9d67-458e-801a-0a2ecf4dc514", - "control-id": "si-4", + "uuid": "67062f9e-0fb3-4385-acfa-39bace91d383", + "control-id": "ra-1", "statements": [ { - "statement-id": "si-4_smt.d", - "uuid": "0b9c943d-e4b2-406d-80a7-7f13eee01789", + "statement-id": "ra-1_smt.a", + "uuid": "86e924ff-96e9-4f74-87ea-1453b5054e3a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a746fcca-1aa7-4148-9119-0ffae55a3394", - "description": "Add control implementation description here for statement si-4_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f616b59f-2d2a-4100-b7ad-d5a2ec7e7d02", + "description": "Add control implementation description here for item ra-1_smt.a" } ] - } - ] - }, - { - "uuid": "5e54fa86-ffe3-46b8-888d-6925f3eb8411", - "control-id": "si-4", - "statements": [ + }, { - "statement-id": "si-4_smt.e", - "uuid": "b0a1bb98-a6ec-4d28-8a55-7b9ea499cf1b", + "statement-id": "ra-1_smt.b", + "uuid": "8e0b7857-ab11-44ab-9e2a-a94a8c14e1f5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "50ee48c3-1c37-497d-a224-7d68535b129f", - "description": "Add control implementation description here for statement si-4_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a908430b-533c-403b-b750-efb5aed56537", + "description": "Add control implementation description here for item ra-1_smt.b" } ] - } - ] - }, - { - "uuid": "d84e409f-c288-408b-9f62-eee74f73caa0", - "control-id": "si-4", - "statements": [ + }, { - "statement-id": "si-4_smt.f", - "uuid": "a6c9b39f-cd9b-4961-ad1a-643a8fc4852a", + "statement-id": "ra-1_smt.c", + "uuid": "064d0a2c-712b-481a-8741-a9604c108b9c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b2fab904-45b2-42dd-909c-9b7ce8e240f1", - "description": "Add control implementation description here for statement si-4_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6795013d-0668-493a-bf73-aa1ccb9aa56f", + "description": "Add control implementation description here for item ra-1_smt.c" } ] } ] }, { - "uuid": "6124759a-fede-4f14-95fb-77fdda3f0bfe", - "control-id": "si-4", + "uuid": "f3bdb162-7500-4c73-a1b9-6fdfea087595", + "control-id": "ra-2", "statements": [ { - "statement-id": "si-4_smt.g", - "uuid": "5b1316bc-80e4-48f3-913f-8f322e7b7863", + "statement-id": "ra-2_smt.a", + "uuid": "cd2ae254-a756-4381-b470-bd2a28289263", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e7f79ee8-36a2-48da-9a6d-0c009bffb00b", - "description": "Add control implementation description here for statement si-4_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dd36eb25-8608-49f2-9971-8e846b4aa3a6", + "description": "Add control implementation description here for item ra-2_smt.a" } ] - } - ] - }, - { - "uuid": "d78dee01-2cf0-4ea3-9fdf-dde29d777249", - "control-id": "si-5", - "statements": [ + }, { - "statement-id": "si-5_smt.a", - "uuid": "410cec30-d6b3-4fcf-9111-72eef6e85b2d", + "statement-id": "ra-2_smt.b", + "uuid": "14cc24da-9989-40d7-ae6f-142afe142853", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b4480a94-035a-42d3-a383-d666237c4b50", - "description": "Add control implementation description here for statement si-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "91a7fbcc-5bb8-4be5-8b3d-f12a35f249c9", + "description": "Add control implementation description here for item ra-2_smt.b" } ] - } - ] - }, - { - "uuid": "dc524d78-606a-42c0-8e0d-e942f1101c1b", - "control-id": "si-5", - "statements": [ + }, { - "statement-id": "si-5_smt.b", - "uuid": "0cf6d76a-9c22-4324-a22b-e65711b66c15", + "statement-id": "ra-2_smt.c", + "uuid": "e608f056-03e6-46eb-85a4-d71c61c6637a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ad6f4264-06e7-4dee-a4d6-e754c6f4f374", - "description": "Add control implementation description here for statement si-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "741f93b4-c427-4ae4-86b5-414bd9db9be4", + "description": "Add control implementation description here for item ra-2_smt.c" } ] } ] }, { - "uuid": "4e0a3602-53ed-491a-b69a-4730ede05d26", - "control-id": "si-5", + "uuid": "413d36e0-6e77-499a-9d9a-6404ce62aa76", + "control-id": "ra-3", "statements": [ { - "statement-id": "si-5_smt.c", - "uuid": "69525351-cc3f-4e4e-96ae-db1d4777b36d", + "statement-id": "ra-3_smt.a", + "uuid": "01de1f57-a4ee-4e5d-b6d2-6e9f30fbb1c8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1e9e01c4-ac16-486c-b8a1-8789430270fd", - "description": "Add control implementation description here for statement si-5_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "71260e3e-918b-49aa-854a-66d17f1a5baf", + "description": "Add control implementation description here for item ra-3_smt.a" } ] - } - ] - }, - { - "uuid": "7c234885-aab8-4233-9c01-2e6459822e4e", - "control-id": "si-5", - "statements": [ + }, { - "statement-id": "si-5_smt.d", - "uuid": "48006c66-8749-457b-9acc-6fd79b272132", + "statement-id": "ra-3_smt.b", + "uuid": "2aa58002-56e3-432c-a33f-91b20400e9ff", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0f2556a1-fdf9-4ff8-a7b6-2295c7b14e1b", - "description": "Add control implementation description here for statement si-5_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4fb0ef2a-b1a0-4512-be59-330c537f9d54", + "description": "Add control implementation description here for item ra-3_smt.b" } ] - } - ] - }, - { - "uuid": "cfa53b61-48f2-46a1-8531-ef70f9bb27ce", - "control-id": "si-1", - "statements": [ + }, { - "statement-id": "si-1_smt.a", - "uuid": "9f4be57c-fade-459f-b5a4-2f8212cf41bb", + "statement-id": "ra-3_smt.c", + "uuid": "e37e3791-969c-4bce-82bc-6ce14b49dea4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a338a91f-28be-4af1-93f0-ab9826cb247c", - "description": "Add control implementation description here for statement si-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3b0cc859-4192-43a9-894c-d5701a960df4", + "description": "Add control implementation description here for item ra-3_smt.c" } ] - } - ] - }, - { - "uuid": "9d064624-d835-4100-9880-b55c1192aa93", - "control-id": "si-1", - "statements": [ + }, { - "statement-id": "si-1_smt.b", - "uuid": "de9c92a1-8eea-4290-af23-9f035627ac24", + "statement-id": "ra-3_smt.d", + "uuid": "04f6ee55-04e0-4bca-a5bd-bac604e6088b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "e7142b05-6704-40f7-91fc-35dc586a8f46", - "description": "Add control implementation description here for statement si-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "88b99f9b-8258-4b0a-bda8-313233b81ce8", + "description": "Add control implementation description here for item ra-3_smt.d" } ] - } - ] - }, - { - "uuid": "4fff9f05-9126-4cc4-bea1-012a4ad8ef58", - "control-id": "si-1", - "statements": [ + }, { - "statement-id": "si-1_smt.c", - "uuid": "77ff4163-a621-4052-af23-9151d9619da5", + "statement-id": "ra-3_smt.e", + "uuid": "e49b7c33-6428-49f7-90dd-c9b4780ac6e3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c2f64810-82c8-492b-88b5-221886cdaf5e", - "description": "Add control implementation description here for statement si-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "efbb58a5-0694-40af-8644-908fc06074b9", + "description": "Add control implementation description here for item ra-3_smt.e" } ] - } - ] - }, - { - "uuid": "2dca3618-2a7a-466d-8c80-3c8187257e6d", - "control-id": "si-2", - "statements": [ + }, { - "statement-id": "si-2_smt.a", - "uuid": "08d25462-cc1f-4e2c-a3f0-1f7b8d093823", + "statement-id": "ra-3_smt.f", + "uuid": "799e89a8-da9b-4968-9f0e-927becbeb61b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5c31e5c1-0d6c-4705-acf9-4d5454245e95", - "description": "Add control implementation description here for statement si-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8b030b2e-3533-4fc3-b78c-3d52586d05b1", + "description": "Add control implementation description here for item ra-3_smt.f" } ] } ] }, { - "uuid": "329abe60-186f-4296-a38d-e873574d9522", - "control-id": "si-2", + "uuid": "35388741-1392-442f-a5b3-26b005c97a3c", + "control-id": "ra-3.1", "statements": [ { - "statement-id": "si-2_smt.b", - "uuid": "e51aa48f-68f9-47ea-89e1-b25fd6544df4", + "statement-id": "ra-3.1_smt.a", + "uuid": "4d8b4be6-3cda-4352-bab4-b3390dc39573", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5760cfed-957f-4445-9c32-d2e1705f2a53", - "description": "Add control implementation description here for statement si-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "441fd83c-58db-420d-8fa5-742e0a555b2f", + "description": "Add control implementation description here for item ra-3.1_smt.a" } ] - } - ] - }, - { - "uuid": "89b7153b-3f65-45c8-9867-a5a475f216a5", - "control-id": "si-2", - "statements": [ + }, { - "statement-id": "si-2_smt.c", - "uuid": "66ddc103-8748-4cee-8d5c-1bcbdcab3ef8", + "statement-id": "ra-3.1_smt.b", + "uuid": "77c7a9b8-c607-4cb8-bc5f-ba88bd13018a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a0424128-7476-40ba-a16e-7798ae9d2636", - "description": "Add control implementation description here for statement si-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1cef4a5f-94bf-41f4-8806-5e819ef46b43", + "description": "Add control implementation description here for item ra-3.1_smt.b" } ] } ] }, { - "uuid": "7ca79d4a-5b89-48d3-85e4-e3e598b19e92", - "control-id": "si-2", + "uuid": "104e9590-dbfc-49f2-9e43-848907663c6e", + "control-id": "ra-5", "statements": [ { - "statement-id": "si-2_smt.d", - "uuid": "3cd4609a-efd2-48ca-9193-eeae0da5153e", + "statement-id": "ra-5_smt.a", + "uuid": "fdff3d7e-7d92-49be-942c-9dab72d650a6", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a78b57bc-dadc-4d80-9004-5617b68848b9", - "description": "Add control implementation description here for statement si-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "706abf81-8135-458d-8d8a-8d84b3d2e610", + "description": "Add control implementation description here for item ra-5_smt.a" } ] - } - ] - }, - { - "uuid": "152718f7-7c30-4261-97d4-776745a97bb6", - "control-id": "si-3", - "statements": [ + }, { - "statement-id": "si-3_smt.a", - "uuid": "eb6ee695-7f1e-4d94-82d2-74cb17228808", + "statement-id": "ra-5_smt.b", + "uuid": "a65712c1-d587-4fe8-92ec-6d5accbf9c3c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "88071991-6e3a-4c3d-9d83-ec70b2d858c1", - "description": "Add control implementation description here for statement si-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1b1fbbe4-9119-4341-8996-994fcbe5df08", + "description": "Add control implementation description here for item ra-5_smt.b" } ] - } - ] - }, - { - "uuid": "f3ca5dcf-1342-49f0-a2a9-d9ef44dabe9a", - "control-id": "si-3", - "statements": [ + }, { - "statement-id": "si-3_smt.b", - "uuid": "48116571-a329-48c9-9131-a41488ddfe92", + "statement-id": "ra-5_smt.c", + "uuid": "8c4b2348-98b2-4f8e-ae90-a402f0c0a3a3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "975a31ec-bb93-435d-a1d4-4c7cc3db4152", - "description": "Add control implementation description here for statement si-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a251fcd5-350e-4c86-85e6-06f9ee6a27b3", + "description": "Add control implementation description here for item ra-5_smt.c" } ] - } - ] - }, - { - "uuid": "298a0f65-6521-4e12-b16c-1ef7706c9b18", - "control-id": "si-3", - "statements": [ + }, { - "statement-id": "si-3_smt.c", - "uuid": "1e0e8590-3a28-4206-93f3-256298a55960", + "statement-id": "ra-5_smt.d", + "uuid": "e7f17854-f85c-4372-bc13-732056071e95", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "1f1f1f49-fa16-48f7-9927-4fc8682c7c09", - "description": "Add control implementation description here for statement si-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "13125afb-9c59-42b4-bddd-7d6982f88643", + "description": "Add control implementation description here for item ra-5_smt.d" } ] - } - ] - }, - { - "uuid": "375679df-13cd-4df3-a3ae-cc54bdd5d47f", - "control-id": "si-3", - "statements": [ + }, { - "statement-id": "si-3_smt.d", - "uuid": "f84f9308-3279-458a-b4e0-f3cc1bd7c862", + "statement-id": "ra-5_smt.e", + "uuid": "6ee6b470-4d2c-4f02-87e3-9a501ee9d1d2", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ffcaf4bf-0120-4c07-9b85-7583d067186d", - "description": "Add control implementation description here for statement si-3_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "36d00b5f-567b-4382-a124-cd522dad95dc", + "description": "Add control implementation description here for item ra-5_smt.e" } ] - } - ] - }, - { - "uuid": "ec0013de-37cb-469b-ac1f-cf3b6bbe9b7e", - "control-id": "mp-1", - "statements": [ + }, { - "statement-id": "mp-1_smt.a", - "uuid": "2625119c-c767-484e-b14d-4096a7c0e93c", + "statement-id": "ra-5_smt.f", + "uuid": "b3bb065b-e0c5-4086-aca1-0b0447151461", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a6e6b8fe-cedb-450f-83c1-0e6a55d3d545", - "description": "Add control implementation description here for statement mp-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b53be194-959f-4cde-86af-46926dec468a", + "description": "Add control implementation description here for item ra-5_smt.f" } ] } ] }, { - "uuid": "ed5f2230-b0bb-482f-81d7-21ae39cdf5da", - "control-id": "mp-1", + "uuid": "38c9f3c6-96c0-4416-a2ed-d4dc21e1760d", + "control-id": "ra-5.2", "statements": [ { - "statement-id": "mp-1_smt.b", - "uuid": "46d99e04-9b9e-43f0-a32f-5a67433842e3", + "statement-id": "ra-5.2_smt", + "uuid": "3b9f798c-877e-4ed4-9ab9-ce2ed3e14b5a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5cc1b401-c4a8-48e8-ae98-70cb3638b3dd", - "description": "Add control implementation description here for statement mp-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8ee58b6b-a7a9-4561-9c8c-7caeabde0839", + "description": "Add control implementation description here for control ra-5.2" } ] } ] }, { - "uuid": "347dbd8a-9569-4b49-85ca-594433c8244f", - "control-id": "mp-1", + "uuid": "ff11be82-9b61-49de-a577-9a27afc90574", + "control-id": "ra-5.11", "statements": [ { - "statement-id": "mp-1_smt.c", - "uuid": "4c9e896a-3d23-4c6d-b59c-99cd5422754d", + "statement-id": "ra-5.11_smt", + "uuid": "55f6864f-5864-4804-8579-ea6cb39a97bb", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a1f14b6c-f955-45b9-8d26-b850553b9033", - "description": "Add control implementation description here for statement mp-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "be5b78ca-9036-4d74-a35b-a4e6c21f1bc1", + "description": "Add control implementation description here for control ra-5.11" } ] } ] }, { - "uuid": "4b5971e8-44eb-4c6f-900b-446fa3fb6987", - "control-id": "mp-7", + "uuid": "a4dbb880-a173-4df2-a95f-61148207eca9", + "control-id": "ra-7", "statements": [ { - "statement-id": "mp-7_smt.a", - "uuid": "7eec0fbf-7ecc-41c2-8f56-0aa5392bfd19", + "statement-id": "ra-7_smt", + "uuid": "f58d8722-c56c-4e5a-bc4f-e89212307fdc", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "db2f5bb2-d993-4b8d-9bfb-fc27d6033562", - "description": "Add control implementation description here for statement mp-7_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7aa406e2-ec55-43eb-a7ee-7e8918a16537", + "description": "Add control implementation description here for control ra-7" } ] } ] }, { - "uuid": "acc5817a-1757-4a6f-8be5-045fb5e7bd80", - "control-id": "mp-7", + "uuid": "a30010e9-4d76-424d-97d3-b788c31f4f7e", + "control-id": "sa-1", "statements": [ { - "statement-id": "mp-7_smt.b", - "uuid": "919f4855-4b30-4737-aa1e-7e3518d99d58", + "statement-id": "sa-1_smt.a", + "uuid": "6f3b21d5-9951-4ac5-a33e-d02c78b4bcec", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "05fa4858-3686-4ba2-a693-eadf649840fc", - "description": "Add control implementation description here for statement mp-7_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "67b92e8a-36d7-481d-9d18-e3ab7bcc854e", + "description": "Add control implementation description here for item sa-1_smt.a" } ] - } - ] - }, - { - "uuid": "48eb19ae-0e44-4770-ba6f-9438da968af6", - "control-id": "mp-6", - "statements": [ + }, { - "statement-id": "mp-6_smt.a", - "uuid": "8ac36c3b-4adf-4b2c-abaa-10fd6ee94874", + "statement-id": "sa-1_smt.b", + "uuid": "a288d4b0-5e04-4069-a9b3-6d4174321116", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "546eb1f5-c406-44ff-929e-adfe2f06f4dc", - "description": "Add control implementation description here for statement mp-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bd7dc3f4-504d-486d-a9fd-8f781fa8d3be", + "description": "Add control implementation description here for item sa-1_smt.b" } ] - } - ] - }, - { - "uuid": "f1ade0ad-b722-4ae3-b4f7-949c510ac9f3", - "control-id": "mp-6", - "statements": [ + }, { - "statement-id": "mp-6_smt.b", - "uuid": "6000a155-9c2e-4e74-9ad1-8f6f102573dd", + "statement-id": "sa-1_smt.c", + "uuid": "381050ed-a6ba-435f-b218-64f2ca476e20", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "46bc3e35-1bab-4e4a-ab27-b8c048ecf5f6", - "description": "Add control implementation description here for statement mp-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3700145b-65bb-476c-b89c-62b92da89d83", + "description": "Add control implementation description here for item sa-1_smt.c" } ] } ] }, { - "uuid": "e609acad-5b19-4a58-9f86-786a6aea3a03", - "control-id": "au-5", + "uuid": "bfe991b5-e116-420f-ac81-106a75eeefb2", + "control-id": "sa-2", "statements": [ { - "statement-id": "au-5_smt.a", - "uuid": "0b75f1f9-dba6-4b03-9228-e9dfaa9d9c5e", + "statement-id": "sa-2_smt.a", + "uuid": "9f966b4d-51d6-4d4a-8908-4928dc91b49e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ebeaa94a-e1f5-4274-ad1a-dadfcbfc11ba", - "description": "Add control implementation description here for statement au-5_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1b6c5cb9-4b63-4908-bd99-64cb537a030d", + "description": "Add control implementation description here for item sa-2_smt.a" } ] - } - ] - }, - { - "uuid": "87f46680-6838-4bb7-a1cd-ba6e67185bec", - "control-id": "au-5", - "statements": [ + }, { - "statement-id": "au-5_smt.b", - "uuid": "ec3fbde3-0b30-4107-968c-448839200b1f", + "statement-id": "sa-2_smt.b", + "uuid": "6a1e27db-cb16-48a8-b049-627e6cb3687c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a44e8bbd-064e-4b89-a7c9-b92fe5e58167", - "description": "Add control implementation description here for statement au-5_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7ebec817-1292-4535-8303-0863290b1c4d", + "description": "Add control implementation description here for item sa-2_smt.b" } ] - } - ] - }, - { - "uuid": "70a5c186-1b9b-480f-93fe-a679e23f04ba", - "control-id": "au-1", - "statements": [ + }, { - "statement-id": "au-1_smt.a", - "uuid": "0aaa2752-274c-43cf-b959-7a7ff01dc3bc", + "statement-id": "sa-2_smt.c", + "uuid": "f3fbfcc9-00f3-4ae4-8249-606609778741", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "37a88da8-b0b4-4a3b-b071-c739097b2843", - "description": "Add control implementation description here for statement au-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "37191794-c6fe-4b47-8585-1f4c0bfa0d49", + "description": "Add control implementation description here for item sa-2_smt.c" } ] } ] }, { - "uuid": "dce89640-cb28-42e6-b3e4-c939c98f28ec", - "control-id": "au-1", + "uuid": "3fd7dda2-c64e-4870-8e5a-8271074b0c52", + "control-id": "sa-3", "statements": [ { - "statement-id": "au-1_smt.b", - "uuid": "11d43dd5-4d03-44d3-ae8f-3a78c2649bd7", + "statement-id": "sa-3_smt.a", + "uuid": "baba5809-766f-4b6b-94a7-f4fc9f2da696", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "8a942996-e991-494e-8449-049ddb2163d4", - "description": "Add control implementation description here for statement au-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "48f5c2b2-0762-406c-8c55-56983ac9ecce", + "description": "Add control implementation description here for item sa-3_smt.a" } ] - } - ] - }, - { - "uuid": "976b9f23-ec86-4ec6-91d1-eff6ec1b82ef", - "control-id": "au-1", - "statements": [ + }, { - "statement-id": "au-1_smt.c", - "uuid": "e56bc9ea-ccf9-462d-b0b9-406ef129c758", + "statement-id": "sa-3_smt.b", + "uuid": "114fc3ab-262a-4f6f-8cd0-e030842106b3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9aa8661a-f905-4f57-b4c8-6dd06d4f26c0", - "description": "Add control implementation description here for statement au-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dfccd8bc-fcb8-4d20-926f-6f942cbcf9e2", + "description": "Add control implementation description here for item sa-3_smt.b" } ] - } - ] - }, - { - "uuid": "32049946-ef35-48e9-bfaa-bd0c1eac65ed", - "control-id": "au-9", - "statements": [ + }, { - "statement-id": "au-9_smt.a", - "uuid": "32ae19c2-2ad0-417f-bbc2-09b1139a448e", + "statement-id": "sa-3_smt.c", + "uuid": "60b33a2d-2332-4a50-b265-d1ce67339a35", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "ad20000b-7b6a-4dba-a205-bd841ca6119c", - "description": "Add control implementation description here for statement au-9_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a12a7dd7-8fe3-4290-8393-4e95a83ff31d", + "description": "Add control implementation description here for item sa-3_smt.c" } ] - } - ] - }, - { - "uuid": "d1c39694-94c3-41fb-bd3a-87df2d21bf56", - "control-id": "au-9", - "statements": [ + }, { - "statement-id": "au-9_smt.b", - "uuid": "848dce51-a54a-4a0a-9298-c9d41a73b069", + "statement-id": "sa-3_smt.d", + "uuid": "65998613-a488-43fe-afaa-e292cedd7ec8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "992768f8-16dd-4b74-854a-bb28d76c7802", - "description": "Add control implementation description here for statement au-9_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "a14ffd53-894c-46a1-a9b1-ff0087d36c9c", + "description": "Add control implementation description here for item sa-3_smt.d" } ] } ] }, { - "uuid": "4d88aa36-9926-4a29-a369-f7fa16a1141f", - "control-id": "au-12", + "uuid": "3cfd7560-53cb-43b9-a4a8-39d5ee01dd82", + "control-id": "sa-4", "statements": [ { - "statement-id": "au-12_smt.a", - "uuid": "0dad06e1-36b2-4e03-a31b-d1933517ae3f", + "statement-id": "sa-4_smt.a", + "uuid": "3f0049ff-26d3-4cec-b0bb-701074f855af", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "12e0c2da-7732-4dc4-b74c-2f5263639cd3", - "description": "Add control implementation description here for statement au-12_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3452febe-f232-4888-ac18-3330b1a5ef72", + "description": "Add control implementation description here for item sa-4_smt.a" } ] - } - ] - }, - { - "uuid": "14990a85-2a04-42d4-9909-6d732af89820", - "control-id": "au-12", - "statements": [ + }, { - "statement-id": "au-12_smt.b", - "uuid": "83b3ed86-0e41-4983-b915-da05f0827cf1", + "statement-id": "sa-4_smt.b", + "uuid": "7a8cdbcf-73be-44dc-b770-e43e35c86595", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f16cc486-0f64-4d5f-a209-9f6832797057", - "description": "Add control implementation description here for statement au-12_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8bb9a65e-1ee5-4f57-8933-f55d12cf8bad", + "description": "Add control implementation description here for item sa-4_smt.b" } ] - } - ] - }, - { - "uuid": "6ca87a68-e9ba-4be3-b65b-a4f305d80340", - "control-id": "au-12", - "statements": [ + }, { - "statement-id": "au-12_smt.c", - "uuid": "c8c62887-6ec0-4e1f-a906-26d3af5134b3", + "statement-id": "sa-4_smt.c", + "uuid": "88fe51c8-6319-40fa-83e9-9a3a73d25057", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "fc41decf-037c-443e-b9d1-6ff2b0c0b9a1", - "description": "Add control implementation description here for statement au-12_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e4a3c7e0-421f-4531-8b8e-341b47791b2b", + "description": "Add control implementation description here for item sa-4_smt.c" } ] - } - ] - }, - { - "uuid": "adaea0f4-b490-476a-9cd7-a06d22a4d7d6", - "control-id": "au-8", - "statements": [ + }, { - "statement-id": "au-8_smt.a", - "uuid": "0865c0d3-cc87-4dae-89c1-9248452150b0", + "statement-id": "sa-4_smt.d", + "uuid": "a0de6adf-d0bf-43aa-8e3e-1145535b741d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "64f56e80-be3b-49c5-b576-24f6a0ed8a36", - "description": "Add control implementation description here for statement au-8_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "74a4747e-3465-4876-9f17-4ac8d8072b5c", + "description": "Add control implementation description here for item sa-4_smt.d" } ] - } - ] - }, - { - "uuid": "b8af2829-7c09-4cf4-b794-20f6a891775d", - "control-id": "au-8", - "statements": [ + }, { - "statement-id": "au-8_smt.b", - "uuid": "f0362f08-5c24-49f9-8024-af2981c6e5cb", + "statement-id": "sa-4_smt.e", + "uuid": "96cdfbbd-8566-4728-b0d3-87bd6551bbd9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c89b0db2-2c3b-4e93-b603-e40ddd57c848", - "description": "Add control implementation description here for statement au-8_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "845fd061-6eff-4946-bc87-304c50d67ec5", + "description": "Add control implementation description here for item sa-4_smt.e" } ] - } - ] - }, - { - "uuid": "a8e0397e-386f-440c-98b3-11c34c90e172", - "control-id": "au-3", - "statements": [ + }, { - "statement-id": "au-3_smt.a", - "uuid": "27a6cce1-d3fc-41d8-95da-86bfcdd82550", + "statement-id": "sa-4_smt.f", + "uuid": "2f0ce8e6-fc5b-4de1-afbe-b1763c173a4d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "00b393cc-8d52-4e11-a63e-c541b33a36b0", - "description": "Add control implementation description here for statement au-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "8accaf67-9390-49d3-9c2a-15ec63c0ca23", + "description": "Add control implementation description here for item sa-4_smt.f" } ] - } - ] - }, - { - "uuid": "c08448a4-8a1d-41e9-8f5f-f5227f509939", - "control-id": "au-3", - "statements": [ + }, { - "statement-id": "au-3_smt.b", - "uuid": "ae605547-a185-4f9c-acc5-eb26ba9b565d", + "statement-id": "sa-4_smt.g", + "uuid": "cf767557-d01a-4643-a884-f76f3b5e18b1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a2521249-c47a-4903-96c1-ad62931f3ed5", - "description": "Add control implementation description here for statement au-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b81e06fc-7c86-47f3-8962-5e6d8f17dd83", + "description": "Add control implementation description here for item sa-4_smt.g" } ] - } - ] - }, - { - "uuid": "fb98a76f-343f-489e-bb27-e29a2e6fe32c", - "control-id": "au-3", - "statements": [ + }, { - "statement-id": "au-3_smt.c", - "uuid": "cc303274-51aa-454d-bbdb-a1804c11ac30", + "statement-id": "sa-4_smt.h", + "uuid": "30896d20-093c-48df-a70e-eecc3330fd7e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "159c40b7-f33d-48f8-bbf8-c6eea0cfb617", - "description": "Add control implementation description here for statement au-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0d03d749-3068-4ae7-8b74-9a7589954bd9", + "description": "Add control implementation description here for item sa-4_smt.h" } ] - } - ] - }, - { - "uuid": "3ca3c92f-cab4-47ef-88ad-6e5b5758c363", - "control-id": "au-3", - "statements": [ + }, { - "statement-id": "au-3_smt.d", - "uuid": "66795979-806b-4444-9b39-c60ebc730a5d", + "statement-id": "sa-4_smt.i", + "uuid": "3a3cf158-6339-4964-8ec5-2bfdbaf36aa8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4292d1df-fda5-49f0-9066-4012da8a2070", - "description": "Add control implementation description here for statement au-3_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ef5e81c9-1863-41b8-be7b-f6c687aa4789", + "description": "Add control implementation description here for item sa-4_smt.i" } ] } ] }, { - "uuid": "f69a68d5-fc5c-41db-9bcc-59d899e2f60f", - "control-id": "au-3", + "uuid": "012f3498-8082-4844-a2b6-07be5caa812a", + "control-id": "sa-4.10", "statements": [ { - "statement-id": "au-3_smt.e", - "uuid": "71181779-76bd-49a7-b018-8ff6cdb8d377", + "statement-id": "sa-4.10_smt", + "uuid": "983da4f0-bcf0-4861-9657-63b8c2937e3a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "89ffddd6-b06b-45a9-aa63-c3166ed9c7be", - "description": "Add control implementation description here for statement au-3_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fa5a3beb-b1b3-491b-ad76-46eb2ea53f2a", + "description": "Add control implementation description here for control sa-4.10" } ] } ] }, { - "uuid": "45c63560-2cb9-40ab-85b6-e8de86d3028a", - "control-id": "au-3", + "uuid": "233bd514-adb0-4658-b1a4-3226fa0acaae", + "control-id": "sa-5", "statements": [ { - "statement-id": "au-3_smt.f", - "uuid": "0cbf5282-fae4-4bdc-9b24-219d4c1ff937", + "statement-id": "sa-5_smt.a", + "uuid": "22559970-bf41-4c1f-975e-b335044dbc24", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "80bdef76-012c-4e8e-b1ae-6d66eb4803ac", - "description": "Add control implementation description here for statement au-3_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4ff3b86f-d7d9-4ed7-975d-6b05e0bdce09", + "description": "Add control implementation description here for item sa-5_smt.a" } ] - } - ] - }, - { - "uuid": "6b24d505-fcde-4e70-ae3f-630435b954e7", - "control-id": "au-6", - "statements": [ + }, { - "statement-id": "au-6_smt.a", - "uuid": "bee81b4e-b46b-4f4c-a313-0b6cd834848e", + "statement-id": "sa-5_smt.b", + "uuid": "758af4cf-c202-47be-a200-e498384c8b7a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f91e47c3-b651-49f4-8329-6c3daf04e1cb", - "description": "Add control implementation description here for statement au-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "763843b8-c593-48b7-bdb0-4140de5074b3", + "description": "Add control implementation description here for item sa-5_smt.b" } ] - } - ] - }, - { - "uuid": "30719c2e-0d98-462b-829a-57620bd8ec03", - "control-id": "au-6", - "statements": [ + }, { - "statement-id": "au-6_smt.b", - "uuid": "00ee89d6-4b69-4764-bfb9-62af00d5b0d9", + "statement-id": "sa-5_smt.c", + "uuid": "166768aa-7862-4118-b56b-a1e6e6764f9a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f06f884c-1a4c-4489-b041-9e4adb0a6176", - "description": "Add control implementation description here for statement au-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "85486a49-9833-4dcf-95f3-baa251eee16d", + "description": "Add control implementation description here for item sa-5_smt.c" } ] - } - ] - }, - { - "uuid": "2f2d547e-ae90-40da-8428-960af91f5918", - "control-id": "au-6", - "statements": [ + }, { - "statement-id": "au-6_smt.c", - "uuid": "ab3b661a-0771-4fd8-b458-f991ac96079c", + "statement-id": "sa-5_smt.d", + "uuid": "cee0d961-4756-4956-8ae9-e76dc45f2623", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "3cc9794f-57eb-4809-96f4-568a89a948f1", - "description": "Add control implementation description here for statement au-6_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cf80377c-c4bd-4c38-9109-75b172c3c381", + "description": "Add control implementation description here for item sa-5_smt.d" } ] } ] }, { - "uuid": "5d5a9308-82dc-48f6-98ae-d70166c01aca", - "control-id": "au-2", + "uuid": "f8a4ca54-8b44-42d8-af1a-9f899842880d", + "control-id": "sa-8", "statements": [ { - "statement-id": "au-2_smt.a", - "uuid": "bc725485-7374-4c55-9507-78a4fae393c6", + "statement-id": "sa-8_smt", + "uuid": "104280c4-ed29-4c28-af18-382016404379", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4b3d1819-cf55-413e-88ea-477b3b094ce2", - "description": "Add control implementation description here for statement au-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cf196a50-6551-4797-b239-7e60cf6ad2ce", + "description": "Add control implementation description here for control sa-8" } ] } ] }, { - "uuid": "3d783c90-ac29-4dec-a9b1-d35401dff7ad", - "control-id": "au-2", + "uuid": "9e493d7a-ce5b-4c32-916e-3c3b19a71980", + "control-id": "sa-9", "statements": [ { - "statement-id": "au-2_smt.b", - "uuid": "af474f5d-9a9c-406a-a33b-fa227076bfbc", + "statement-id": "sa-9_smt.a", + "uuid": "00990002-ddb4-4f2e-a7f0-e7105c21a01d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7f0cb669-e91e-4eb4-ba2a-8ecd37e8bacc", - "description": "Add control implementation description here for statement au-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6178ca5b-9fdb-4819-a173-cafccf5cf919", + "description": "Add control implementation description here for item sa-9_smt.a" } ] - } - ] - }, - { - "uuid": "25e76618-e97f-40f4-b545-852faa1b2bb6", - "control-id": "au-2", - "statements": [ + }, { - "statement-id": "au-2_smt.c", - "uuid": "3bf303ae-5cac-49ed-89fe-06e99e2ac3b2", + "statement-id": "sa-9_smt.b", + "uuid": "6b20fd5b-ead3-40ff-afcd-6dce8a7e589e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "436c3be1-69ef-4f1b-b9de-778836c2d691", - "description": "Add control implementation description here for statement au-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b9f04d88-cbf2-49ba-9034-5e2763e922fd", + "description": "Add control implementation description here for item sa-9_smt.b" } ] - } - ] - }, - { - "uuid": "05a1422c-e3a4-43b8-89b1-a30d8fdd8740", - "control-id": "au-2", - "statements": [ + }, { - "statement-id": "au-2_smt.d", - "uuid": "9599d59c-4b33-4631-aa04-ee93e50cf95d", + "statement-id": "sa-9_smt.c", + "uuid": "f136cd32-ec2e-49ef-b376-ea9b5b2defff", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7e525845-6cac-45c2-8519-dd8a5ca89a70", - "description": "Add control implementation description here for statement au-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ee9e6577-ec64-45ed-b2a1-b7ce8509e2f9", + "description": "Add control implementation description here for item sa-9_smt.c" } ] } ] }, { - "uuid": "76e378bc-6d16-4024-8a92-35f0e2d3c1b1", - "control-id": "au-2", + "uuid": "00515c06-7763-4a5b-a94d-3888fd0456f2", + "control-id": "sa-22", "statements": [ { - "statement-id": "au-2_smt.e", - "uuid": "7cddaebb-a88d-4d9e-915b-88e874ef435e", + "statement-id": "sa-22_smt.a", + "uuid": "7d43048f-f81c-4bfc-a8a8-551137483e70", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7fded7b3-356f-49c1-9e4f-5d2d101b3798", - "description": "Add control implementation description here for statement au-2_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e711a62e-2968-446b-9e34-854f4a454558", + "description": "Add control implementation description here for item sa-22_smt.a" } ] - } - ] - }, - { - "uuid": "abca253c-92c3-433d-ad8c-ce13dfa61310", - "control-id": "at-4", - "statements": [ + }, { - "statement-id": "at-4_smt.a", - "uuid": "4e9a2ae5-0cb6-4a60-8194-75da423693ff", + "statement-id": "sa-22_smt.b", + "uuid": "219f8231-a528-426d-891f-a1d034411fe9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "04bb9294-c2f0-4ef9-b653-2f15de5bb544", - "description": "Add control implementation description here for statement at-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c186d37e-5fea-4dfc-a93d-5fb402b4bfe6", + "description": "Add control implementation description here for item sa-22_smt.b" } ] } ] }, { - "uuid": "69b44fad-c498-455e-8723-72706c26a68b", - "control-id": "at-4", + "uuid": "1baf505c-23d3-4b63-b1b7-46c430c22b57", + "control-id": "sc-1", "statements": [ { - "statement-id": "at-4_smt.b", - "uuid": "cf91fe52-b83a-43c4-80db-b46e1ffb99a8", + "statement-id": "sc-1_smt.a", + "uuid": "f25682d5-64be-4938-a4e3-f2c1697cb119", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "36047a07-9623-4a01-b5e3-cdedcd4394f1", - "description": "Add control implementation description here for statement at-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "97e9c324-509f-4e33-a124-6a02cd4f43b0", + "description": "Add control implementation description here for item sc-1_smt.a" } ] - } - ] - }, - { - "uuid": "73a75c21-102d-4616-8f45-3676420e4de5", - "control-id": "at-1", - "statements": [ + }, { - "statement-id": "at-1_smt.a", - "uuid": "86ab6470-4911-4bd6-84e3-95760ac40c1d", + "statement-id": "sc-1_smt.b", + "uuid": "d2e6f691-64da-4369-9b5f-4da32816214e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "84bcc979-781c-4e63-97a3-6d9efaebc775", - "description": "Add control implementation description here for statement at-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "aa56dff2-1c4f-4936-a8f8-01bd761cc5a2", + "description": "Add control implementation description here for item sc-1_smt.b" } ] - } - ] - }, - { - "uuid": "5af439b8-ce94-4d7a-9d20-553fd216d02f", - "control-id": "at-1", - "statements": [ + }, { - "statement-id": "at-1_smt.b", - "uuid": "e701a56f-416b-4a93-a0af-71062f95d9bd", + "statement-id": "sc-1_smt.c", + "uuid": "4858315d-a673-4939-b173-82cfd4695d1c", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "75ad7ee3-184f-4b2b-b480-225c96f8da89", - "description": "Add control implementation description here for statement at-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6a716da8-817a-4291-989c-d37c183263ba", + "description": "Add control implementation description here for item sc-1_smt.c" } ] } ] }, { - "uuid": "e93fcb27-adba-40ca-a7b9-aedb57fc0cdd", - "control-id": "at-1", + "uuid": "c5dc593d-2d82-4f05-8ef9-8840b24cfc29", + "control-id": "sc-5", "statements": [ { - "statement-id": "at-1_smt.c", - "uuid": "56f76256-8539-4501-b5fb-bf5dcf22dbdf", + "statement-id": "sc-5_smt.a", + "uuid": "ac473800-9d33-4b38-9ade-21bc977422f7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c4919d8d-cd74-4163-9f86-44462d193056", - "description": "Add control implementation description here for statement at-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ef58fddc-738b-4514-a412-9c50a8a68f11", + "description": "Add control implementation description here for item sc-5_smt.a" } ] - } - ] - }, - { - "uuid": "660f3181-e9d8-4d9f-984a-ec24a756243f", - "control-id": "at-2", - "statements": [ + }, { - "statement-id": "at-2_smt.a", - "uuid": "1abda364-3f45-4f75-8a56-fa6d40826950", + "statement-id": "sc-5_smt.b", + "uuid": "4a03b896-9325-41a2-bf3a-9090759b38ee", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "501a43da-fc85-4c45-b3cb-d3b4f6394a28", - "description": "Add control implementation description here for statement at-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "51e0590f-da8e-497f-97e3-a3576b95f464", + "description": "Add control implementation description here for item sc-5_smt.b" } ] } ] }, { - "uuid": "abf35fc7-dfcb-4dfd-966a-ebcc7baffaf8", - "control-id": "at-2", + "uuid": "8aec6d25-6bb9-446b-b5ad-5af87ade3de0", + "control-id": "sc-7", "statements": [ { - "statement-id": "at-2_smt.b", - "uuid": "c5f68527-10ed-4e29-9165-4ed52b36efb2", + "statement-id": "sc-7_smt.a", + "uuid": "564186a1-f414-4636-9e97-b2019e853806", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "7b71d31c-a585-4294-94e9-62624d262d77", - "description": "Add control implementation description here for statement at-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "906944f9-ed61-47d8-8130-e7a8723db84f", + "description": "Add control implementation description here for item sc-7_smt.a" } ] - } - ] - }, - { - "uuid": "edd1768e-6196-4191-be7d-67176c3d2e04", - "control-id": "at-2", - "statements": [ + }, { - "statement-id": "at-2_smt.c", - "uuid": "4a825207-0b73-430b-9afc-d7ca045bf631", + "statement-id": "sc-7_smt.b", + "uuid": "e0c65915-d80a-491d-b63a-b638db5df9ec", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "26729b11-47d0-4dab-aebd-11567b85d65b", - "description": "Add control implementation description here for statement at-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "323ad026-4fc5-42ae-9322-888691b94abd", + "description": "Add control implementation description here for item sc-7_smt.b" } ] - } - ] - }, - { - "uuid": "f09d2692-075a-4403-bb3e-4e8469f163ce", - "control-id": "at-2", - "statements": [ + }, { - "statement-id": "at-2_smt.d", - "uuid": "5c50e62d-4348-4f9f-a3bd-9ec1671f13e5", + "statement-id": "sc-7_smt.c", + "uuid": "8e6b74e0-101e-4823-9408-1f2d737c1de1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5d8317e4-e5f0-4889-ba85-98875f903a83", - "description": "Add control implementation description here for statement at-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bbc68ffb-e988-4d94-aeb7-74f57bfe766e", + "description": "Add control implementation description here for item sc-7_smt.c" } ] } ] }, { - "uuid": "f9f51ee0-118d-49b6-a67a-28d95262d66f", - "control-id": "at-3", + "uuid": "74bde879-ae9e-427a-a210-727928c7e1ce", + "control-id": "sc-12", "statements": [ { - "statement-id": "at-3_smt.a", - "uuid": "b87061f1-7c59-4902-94b0-5c91209bef88", + "statement-id": "sc-12_smt", + "uuid": "a58c46f3-2992-439f-862d-4e7466cd2e7e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "08a8ffea-fb0c-425b-b5a1-2ff66e17ff2a", - "description": "Add control implementation description here for statement at-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "daec9f79-020b-4638-b338-10d7a80c6723", + "description": "Add control implementation description here for control sc-12" } ] } ] }, { - "uuid": "66188ebf-7b04-40f2-bad9-49d5c4b88ba0", - "control-id": "at-3", + "uuid": "00f0588a-9d85-4eaf-bdfa-f0ec9b348de9", + "control-id": "sc-13", "statements": [ { - "statement-id": "at-3_smt.b", - "uuid": "3c9327b7-a39f-4444-8013-c5dcc260371f", + "statement-id": "sc-13_smt.a", + "uuid": "44353f9f-b2b4-40b7-bfc7-b274658c0ca8", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b2320903-7027-477d-a188-d3ab2e55d785", - "description": "Add control implementation description here for statement at-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "48223379-d897-455f-a6f6-bf4303512dc1", + "description": "Add control implementation description here for item sc-13_smt.a" } ] - } - ] - }, - { - "uuid": "6c1ee8d3-0a97-4768-b2a0-72b1e4b4d260", - "control-id": "at-3", - "statements": [ + }, { - "statement-id": "at-3_smt.c", - "uuid": "fc6f8e5f-f344-43bc-89e2-75b665190e18", + "statement-id": "sc-13_smt.b", + "uuid": "e7246a0d-9d03-4757-9564-7c3aa1488254", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4ed74d37-85eb-47b3-913f-5f906c0942bf", - "description": "Add control implementation description here for statement at-3_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d29ac847-74de-4b3b-8765-89583af378a9", + "description": "Add control implementation description here for item sc-13_smt.b" } ] } ] }, { - "uuid": "8d6f0984-f877-40eb-8b6a-58ef96242c61", - "control-id": "cm-10", + "uuid": "7c35f77e-051c-49c7-a449-faccbdd9cfc9", + "control-id": "sc-15", "statements": [ { - "statement-id": "cm-10_smt.a", - "uuid": "dc6fe89f-2de2-4650-a32e-83f07b87c566", + "statement-id": "sc-15_smt.a", + "uuid": "5d63e2d2-2de1-4d9f-864e-aae22b4cca70", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "880e096a-d0a5-48ab-bc8e-ac88ea9f03ce", - "description": "Add control implementation description here for statement cm-10_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5835feca-b238-4858-9959-03efdc4c18fd", + "description": "Add control implementation description here for item sc-15_smt.a" } ] - } - ] - }, - { - "uuid": "a7d1cf33-bad0-423e-a4a4-5f36f9b24c4d", - "control-id": "cm-10", - "statements": [ + }, { - "statement-id": "cm-10_smt.b", - "uuid": "30fa141a-1008-446c-a4bc-3fcf4926f5a8", + "statement-id": "sc-15_smt.b", + "uuid": "33d9b0f2-6b5a-4df3-b0e4-95f14395f708", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c27252e4-a899-43bf-b8ca-157c0ddabd9b", - "description": "Add control implementation description here for statement cm-10_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "9e351966-01a4-41e2-83f0-fde26ce7d784", + "description": "Add control implementation description here for item sc-15_smt.b" } ] } ] }, { - "uuid": "62a789a5-7294-4c78-a16e-9055461436cf", - "control-id": "cm-10", + "uuid": "6afc7c72-cf14-4a7d-b024-b713b060f742", + "control-id": "sc-20", "statements": [ { - "statement-id": "cm-10_smt.c", - "uuid": "11d1621f-720d-400a-9cc1-358075bd874c", + "statement-id": "sc-20_smt.a", + "uuid": "5e4c8d8d-d656-4191-acdc-f9b8a9075e16", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9fa7807f-5e0e-4afc-8ab6-945a9d5966e5", - "description": "Add control implementation description here for statement cm-10_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "85099119-4d76-4cd4-9834-1f670dca1ea4", + "description": "Add control implementation description here for item sc-20_smt.a" } ] - } - ] - }, - { - "uuid": "647d7c7b-c381-4d9c-a859-29556bb83cc0", - "control-id": "cm-1", - "statements": [ + }, { - "statement-id": "cm-1_smt.a", - "uuid": "f6843dde-b9f3-451d-8818-f4b8712d76a4", + "statement-id": "sc-20_smt.b", + "uuid": "ad525bb9-e114-4141-b97e-91953fd89675", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f766db56-ca65-4a6a-8784-2f228c499485", - "description": "Add control implementation description here for statement cm-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "25e77e11-0e3d-412b-80ed-7bcb58ea9fd0", + "description": "Add control implementation description here for item sc-20_smt.b" } ] } ] }, { - "uuid": "18e97439-943d-412d-b1c7-1e2a79060585", - "control-id": "cm-1", + "uuid": "6345db2c-ed3f-4987-a619-892b3e0cf759", + "control-id": "sc-21", "statements": [ { - "statement-id": "cm-1_smt.b", - "uuid": "240eafc4-cb2c-48f7-b4be-6d0f140abfbd", + "statement-id": "sc-21_smt", + "uuid": "4315b1fe-d8fc-4f54-8f6c-6727788941bf", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "98bb3901-a932-440d-af9b-44ee60157ae2", - "description": "Add control implementation description here for statement cm-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1293c784-d1fb-4aa1-8900-d80905c27295", + "description": "Add control implementation description here for control sc-21" } ] } ] }, { - "uuid": "4412763a-ee8e-4bc4-adeb-5fe7778f1681", - "control-id": "cm-1", + "uuid": "2fa677d8-e553-4935-b5e7-21f27406c8a6", + "control-id": "sc-22", "statements": [ { - "statement-id": "cm-1_smt.c", - "uuid": "4086ad1c-8745-47db-ac9a-b1f7c0c3ebc5", + "statement-id": "sc-22_smt", + "uuid": "70db7822-b708-4115-92d2-69ceff37aea3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "55603870-845a-479c-8122-ffae2629abc9", - "description": "Add control implementation description here for statement cm-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b014c826-2085-4095-866f-e8619361964a", + "description": "Add control implementation description here for control sc-22" } ] } ] }, { - "uuid": "b1b39c6b-bb58-4fe0-bef4-e32547c73f88", - "control-id": "cm-11", + "uuid": "59ca7b8e-a50f-4469-8f43-9b7f16cacacc", + "control-id": "sc-39", "statements": [ { - "statement-id": "cm-11_smt.a", - "uuid": "96062e4a-82e4-4e1e-a90d-84969327bab3", + "statement-id": "sc-39_smt", + "uuid": "4482b989-8232-462a-9fb3-e7cb795fb7af", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b77194e2-33b2-4ed2-8025-7449d091f529", - "description": "Add control implementation description here for statement cm-11_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "2bdf50a4-718c-4c47-b643-aec1b29b015a", + "description": "Add control implementation description here for control sc-39" } ] } ] }, { - "uuid": "ebe97945-6e63-4a92-bb62-5686c9a7822c", - "control-id": "cm-11", + "uuid": "24fca182-06d8-4855-855e-7586a9717d3e", + "control-id": "si-1", "statements": [ { - "statement-id": "cm-11_smt.b", - "uuid": "50ef3715-0ac7-4a2b-823b-eecd017ac727", + "statement-id": "si-1_smt.a", + "uuid": "3b48b172-6cef-4cf7-8e43-50c1e300ddb9", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "f4962b09-98b2-417a-a083-c3ae6868f4cb", - "description": "Add control implementation description here for statement cm-11_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4a4c26a5-68bf-48ef-a09c-55ac61348423", + "description": "Add control implementation description here for item si-1_smt.a" } ] - } - ] - }, - { - "uuid": "ddf19c1c-c47d-4bc8-ba8d-ef95a4cf6e91", - "control-id": "cm-11", - "statements": [ + }, { - "statement-id": "cm-11_smt.c", - "uuid": "f5cae479-82f4-4819-a8e6-a409f25bbaef", + "statement-id": "si-1_smt.b", + "uuid": "261af665-768d-46d4-b9f3-b1d5669e55d5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a4f55568-768c-4c61-a84a-f59fa297272e", - "description": "Add control implementation description here for statement cm-11_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "e42af704-7b31-4f00-84d7-891f41358037", + "description": "Add control implementation description here for item si-1_smt.b" } ] - } - ] - }, - { - "uuid": "e3a6121d-38b3-4b6e-aedb-bcecd00758ba", - "control-id": "cm-8", - "statements": [ + }, { - "statement-id": "cm-8_smt.a", - "uuid": "db1a8a46-29c7-4367-942a-cea172d511bd", + "statement-id": "si-1_smt.c", + "uuid": "bff81796-a229-4748-9f6e-bae33834dd13", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9597b0d9-92a4-40d3-8b27-b5b841fa5721", - "description": "Add control implementation description here for statement cm-8_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5402d037-25a4-4847-bacf-c546a1c08bae", + "description": "Add control implementation description here for item si-1_smt.c" } ] } ] }, { - "uuid": "1a057aa9-ef69-46c3-9d7c-4caf65feb7ff", - "control-id": "cm-8", + "uuid": "1a478fb5-c230-40f8-a3d3-b12280bd6ebd", + "control-id": "si-2", "statements": [ { - "statement-id": "cm-8_smt.b", - "uuid": "12a1d623-190e-44a1-bd42-06bad3b82b9b", + "statement-id": "si-2_smt.a", + "uuid": "d7722fea-0fe7-482f-a94f-f58f4144b38e", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "9cb910e0-d79d-4819-b58f-9abe9f407cd9", - "description": "Add control implementation description here for statement cm-8_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "dc3118d3-989a-4f03-9b96-b62e384fecf3", + "description": "Add control implementation description here for item si-2_smt.a" } ] - } - ] - }, - { - "uuid": "64ee640b-73b1-4076-baff-374151d965fc", - "control-id": "cm-2", - "statements": [ + }, { - "statement-id": "cm-2_smt.a", - "uuid": "6a6ad244-5991-4278-9947-dedf9b848e20", + "statement-id": "si-2_smt.b", + "uuid": "a51e22a1-bea4-4cf2-a8e0-0f9bbc4a5738", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0476c74b-df1b-45b5-abd2-bcf612e17d51", - "description": "Add control implementation description here for statement cm-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4227e777-3e81-4a50-90b8-428729100edd", + "description": "Add control implementation description here for item si-2_smt.b" } ] - } - ] - }, - { - "uuid": "9902863e-38ca-446d-8ae4-7a8e05f63c2e", - "control-id": "cm-2", - "statements": [ + }, { - "statement-id": "cm-2_smt.b", - "uuid": "19c9b69f-6c27-41df-a801-e86bb53bc19d", + "statement-id": "si-2_smt.c", + "uuid": "bf96eb89-c8a5-48bb-93a7-f00ecb401cdc", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "44bdf786-c257-4556-8d01-ab875edec800", - "description": "Add control implementation description here for statement cm-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "4ac14622-22c8-495e-9a21-ef6ab8571270", + "description": "Add control implementation description here for item si-2_smt.c" } ] - } - ] - }, - { - "uuid": "53241d43-971f-4ff3-af26-445d0f06775a", - "control-id": "cm-6", - "statements": [ + }, { - "statement-id": "cm-6_smt.a", - "uuid": "c003f511-c6a7-4f1e-9838-f78487be0213", + "statement-id": "si-2_smt.d", + "uuid": "ce8aa0e4-75d5-40af-8cda-b3e0e5d4da51", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5e3f30db-64e8-4d37-aca8-ac7fdd120085", - "description": "Add control implementation description here for statement cm-6_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "3044e6ef-1b68-49c1-81c8-a0827affe487", + "description": "Add control implementation description here for item si-2_smt.d" } ] } ] }, { - "uuid": "d7969283-2e2d-4e1d-b9ca-06225401d6fb", - "control-id": "cm-6", + "uuid": "fbaf863e-ee33-4291-b913-36b98584522f", + "control-id": "si-3", "statements": [ { - "statement-id": "cm-6_smt.b", - "uuid": "766c5d79-380c-450f-8767-13c0cce02306", + "statement-id": "si-3_smt.a", + "uuid": "47369958-c9f2-4fc2-b651-221deb492320", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5af3854d-5449-4f3a-80e4-9d24a63750f0", - "description": "Add control implementation description here for statement cm-6_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "c0ba1bf9-d531-44f8-aa26-7e9d4cae321a", + "description": "Add control implementation description here for item si-3_smt.a" } ] - } - ] - }, - { - "uuid": "2dc0f22d-ba82-474f-abed-7b1dad9bee74", - "control-id": "cm-6", - "statements": [ + }, { - "statement-id": "cm-6_smt.c", - "uuid": "18f214fe-c1bc-434f-8549-1555994e334d", + "statement-id": "si-3_smt.b", + "uuid": "8faa96f8-e1e4-4c66-9caf-96c515cc95c1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c6fec0ca-53c9-4eec-aeb3-6c4473f1fe3b", - "description": "Add control implementation description here for statement cm-6_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0cbbddb8-d3d8-493e-b7c0-19c199fafa89", + "description": "Add control implementation description here for item si-3_smt.b" } ] - } - ] - }, - { - "uuid": "74d435b0-54de-4ec3-a99b-0c0e8c080c6c", - "control-id": "cm-6", - "statements": [ + }, { - "statement-id": "cm-6_smt.d", - "uuid": "35dfb44f-bae1-4d8e-afd1-62ed870e1273", + "statement-id": "si-3_smt.c", + "uuid": "5955b5b0-d812-422b-89b3-534c6a28f9b7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "11172be7-e49f-4ffd-be5f-f1df0e915cbe", - "description": "Add control implementation description here for statement cm-6_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "bb3bd4c0-2903-4606-9fca-b8188fdd3e81", + "description": "Add control implementation description here for item si-3_smt.c" } ] - } - ] - }, - { - "uuid": "fb00a608-56e5-42b4-931a-a3aa41b9ee07", - "control-id": "cm-7", - "statements": [ + }, { - "statement-id": "cm-7_smt.a", - "uuid": "bff33ec8-186d-4b47-85bc-f3e513c7eb92", + "statement-id": "si-3_smt.d", + "uuid": "dd8d5cdd-cb45-48fc-90ae-38c3458cdc03", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "02d000bc-cdec-44e7-a58e-4f9cfde53f1e", - "description": "Add control implementation description here for statement cm-7_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1ab920dd-6466-46fb-a5bc-7fde029e575c", + "description": "Add control implementation description here for item si-3_smt.d" } ] } ] }, { - "uuid": "0f0b5dfa-71e5-47c7-95e3-c256608fdb10", - "control-id": "cm-7", + "uuid": "be623ed4-51af-471b-9f02-57750e9c5373", + "control-id": "si-4", "statements": [ { - "statement-id": "cm-7_smt.b", - "uuid": "c49c8c7b-f8ac-4460-ac98-2d28b2ed72d0", + "statement-id": "si-4_smt.a", + "uuid": "885fd567-53f0-4104-bdaf-a8987f0e8229", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "4010d7c8-7f65-423e-bc60-6e47bc9acab8", - "description": "Add control implementation description here for statement cm-7_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6f4cf6f6-3567-4965-9543-170664e7c012", + "description": "Add control implementation description here for item si-4_smt.a" } ] - } - ] - }, - { - "uuid": "5bc1d11d-b047-404f-8fa7-2a75db8d7e78", - "control-id": "cp-9", - "statements": [ + }, { - "statement-id": "cp-9_smt.a", - "uuid": "0b5e5ddc-fd2d-4e18-b7f5-9b7b584d4bdd", + "statement-id": "si-4_smt.b", + "uuid": "55651de2-2bcb-4b65-873b-17abbf4a7430", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "2e9ac2d9-c8dc-43c9-a8cb-d773ba767bb5", - "description": "Add control implementation description here for statement cp-9_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d1091260-e5c5-4deb-bbb8-f22e10a7dccb", + "description": "Add control implementation description here for item si-4_smt.b" } ] - } - ] - }, - { - "uuid": "c16f8f5d-f3c1-4868-8d7f-2b8ac857db0f", - "control-id": "cp-9", - "statements": [ + }, { - "statement-id": "cp-9_smt.b", - "uuid": "12f05ea3-ca4f-4f5d-bdcf-891bf8bfd2e0", + "statement-id": "si-4_smt.c", + "uuid": "7c400b39-e993-47df-bf4d-5c2542be06d7", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "c8e57dca-d501-4cf6-904f-b4fb5a77e63b", - "description": "Add control implementation description here for statement cp-9_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d6a80a03-7ae0-4112-8165-ab8a70fd8281", + "description": "Add control implementation description here for item si-4_smt.c" } ] - } - ] - }, - { - "uuid": "eca41fab-dcea-408a-94bd-a7e3bf21bf91", - "control-id": "cp-9", - "statements": [ + }, { - "statement-id": "cp-9_smt.c", - "uuid": "5349fd14-6f7f-4b03-90b1-fd2d5454ebe6", + "statement-id": "si-4_smt.d", + "uuid": "d824693f-8ca9-4e71-aa08-e34857555bb4", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "a7630ecf-5935-4dde-8511-727266134e6d", - "description": "Add control implementation description here for statement cp-9_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1ebde027-8940-481a-ba3e-fc2b6bc1d39d", + "description": "Add control implementation description here for item si-4_smt.d" } ] - } - ] - }, - { - "uuid": "d6979f48-1411-4d19-815b-4f1d23f45e55", - "control-id": "cp-9", - "statements": [ + }, { - "statement-id": "cp-9_smt.d", - "uuid": "ec140cde-dd91-443d-81ef-da52a9436620", + "statement-id": "si-4_smt.e", + "uuid": "6de5df6e-a9f7-461d-b753-4b842dd5a180", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "71324dbd-1c20-4c45-896a-3f8b2f6c1154", - "description": "Add control implementation description here for statement cp-9_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f60e8871-c38a-4ada-9089-b9548d7b174a", + "description": "Add control implementation description here for item si-4_smt.e" } ] - } - ] - }, - { - "uuid": "7f020386-432c-40ab-9501-5bf0d67df715", - "control-id": "cp-2", - "statements": [ + }, { - "statement-id": "cp-2_smt.a", - "uuid": "f1a56e97-f270-450a-b8d9-47105e796f81", + "statement-id": "si-4_smt.f", + "uuid": "a10e3689-ba8b-4cfe-8467-bb938d1109da", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "546d7bd2-44ac-40bf-b749-fe7eb2ea8f01", - "description": "Add control implementation description here for statement cp-2_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5cc2c76c-9dbf-4f14-93f6-c101ab607c88", + "description": "Add control implementation description here for item si-4_smt.f" } ] - } - ] - }, - { - "uuid": "4e051e7c-0f82-4133-8d79-c275973347dd", - "control-id": "cp-2", - "statements": [ + }, { - "statement-id": "cp-2_smt.b", - "uuid": "4d725899-6a0e-493c-b266-a85c554b9e61", + "statement-id": "si-4_smt.g", + "uuid": "df2b7e96-fe40-4fbc-8365-63482d858630", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "6c826f5e-5e6e-4100-87e4-3b0ff21749bd", - "description": "Add control implementation description here for statement cp-2_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ce887cb6-4811-4ffe-8b99-50661ff604c0", + "description": "Add control implementation description here for item si-4_smt.g" } ] } ] }, { - "uuid": "36615b7f-207a-4fd3-8ef6-8abd07dbaa9f", - "control-id": "cp-2", + "uuid": "7f3def9b-4242-4b10-9249-52bcfd488088", + "control-id": "si-5", "statements": [ { - "statement-id": "cp-2_smt.c", - "uuid": "dd925bd7-0243-4e9b-a64b-f76a468f87df", + "statement-id": "si-5_smt.a", + "uuid": "e1607448-ea79-4250-bf29-84b6e0b62a9f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "5de624e6-8b52-4237-98fd-d5a0036640e4", - "description": "Add control implementation description here for statement cp-2_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ee376e0d-d6f8-4c0f-9bb5-ece602243870", + "description": "Add control implementation description here for item si-5_smt.a" } ] - } - ] - }, - { - "uuid": "35d64c8e-5cb8-4feb-9489-83903fd72eab", - "control-id": "cp-2", - "statements": [ + }, { - "statement-id": "cp-2_smt.d", - "uuid": "b7ecdfa8-8fc6-42c2-9e08-1eef948f8103", + "statement-id": "si-5_smt.b", + "uuid": "59eab534-cd13-452b-bc46-043ffa896646", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "95ca5358-0a86-4d7c-add2-351b38d25d51", + "description": "Add control implementation description here for item si-5_smt.b" + } + ] + }, + { + "statement-id": "si-5_smt.c", + "uuid": "013e04d5-3b1b-4c43-87f3-ffc5a0baba90", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "326f0e65-e942-4da6-bf8a-bc6d9daa3488", - "description": "Add control implementation description here for statement cp-2_smt.d" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "cfba51a6-135c-4d7b-b5f3-c9169215ea38", + "description": "Add control implementation description here for item si-5_smt.c" + } + ] + }, + { + "statement-id": "si-5_smt.d", + "uuid": "f75e393f-0bd6-4ec8-b73b-7ed3a77e8e7a", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "390710ae-e20c-4b4e-b55f-7d17d60bf262", + "description": "Add control implementation description here for item si-5_smt.d" } ] } ] }, { - "uuid": "e3dc3c82-2032-41ef-9ca3-39fb264a0e68", - "control-id": "cp-2", + "uuid": "9f90d5b6-84f2-4125-bebe-52e2538ff421", + "control-id": "si-12", "statements": [ { - "statement-id": "cp-2_smt.e", - "uuid": "eb766b12-237b-4b4f-933b-54576f7cde73", + "statement-id": "si-12_smt", + "uuid": "d0074e91-b5e0-4e5b-9d28-5dddb846f3c1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "bb53552b-6a91-4496-96dd-7b474b851db2", - "description": "Add control implementation description here for statement cp-2_smt.e" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "f598341a-080d-4e7a-b46d-9a5ffcd1323b", + "description": "Add control implementation description here for control si-12" } ] } ] }, { - "uuid": "c87e56fa-3817-4818-ba22-ab1a9659161e", - "control-id": "cp-2", + "uuid": "14b38627-13bc-4139-92e8-d1cb9b2f2aa0", + "control-id": "sr-1", "statements": [ { - "statement-id": "cp-2_smt.f", - "uuid": "1c803e82-806c-482c-81d7-526c42c53674", + "statement-id": "sr-1_smt.a", + "uuid": "e35cc3ad-ef55-4555-8fe6-559d7503ecc0", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0fa0676c-b8d5-40b4-96b1-e25916fb89af", + "description": "Add control implementation description here for item sr-1_smt.a" + } + ] + }, + { + "statement-id": "sr-1_smt.b", + "uuid": "dbae26bd-5d86-47d5-8e04-611f03ae1e88", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "1c4ee7ad-957d-486d-bbe7-27e0fc5a3988", + "description": "Add control implementation description here for item sr-1_smt.b" + } + ] + }, + { + "statement-id": "sr-1_smt.c", + "uuid": "e288a95b-3a52-446c-8978-90f088d03975", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "fec09266-c011-4b3f-b8c3-b4e4fac4aab5", - "description": "Add control implementation description here for statement cp-2_smt.f" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0f95f464-cbbb-4a27-865f-9de8f6d3f32c", + "description": "Add control implementation description here for item sr-1_smt.c" } ] } ] }, { - "uuid": "7e9e3b6e-2b9d-4d1e-a997-9a1518ffcd68", - "control-id": "cp-2", + "uuid": "cd23353b-68b1-4d70-a0c4-05e98093429a", + "control-id": "sr-2", "statements": [ { - "statement-id": "cp-2_smt.g", - "uuid": "01c54c5d-b155-44fc-b788-7f59e348e43a", + "statement-id": "sr-2_smt.a", + "uuid": "37a54720-f5d4-4588-9579-d31fc14d2ab8", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b8dd7beb-5e55-4b8f-9c7f-7e021f79e56f", + "description": "Add control implementation description here for item sr-2_smt.a" + } + ] + }, + { + "statement-id": "sr-2_smt.b", + "uuid": "0272212f-ac6b-4e37-ac1d-40edf6cc6494", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "d4fad1cd-c665-43e3-b9f4-1846c460d4fc", + "description": "Add control implementation description here for item sr-2_smt.b" + } + ] + }, + { + "statement-id": "sr-2_smt.c", + "uuid": "c1cd5d75-9019-4e06-813e-12ef0647fb7b", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "32e5c3e6-6af2-4bb5-a189-68c3c3f86823", - "description": "Add control implementation description here for statement cp-2_smt.g" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "69a47069-facb-47fd-9e94-ef858d00e04c", + "description": "Add control implementation description here for item sr-2_smt.c" } ] } ] }, { - "uuid": "53058194-1ff2-4c19-a767-a5604ce53442", - "control-id": "cp-2", + "uuid": "245affe8-d389-4b7f-8f6e-70631797eef8", + "control-id": "sr-2.1", "statements": [ { - "statement-id": "cp-2_smt.h", - "uuid": "3cd2daa5-e0e4-473f-8f5d-f4c91f08e3bb", + "statement-id": "sr-2.1_smt", + "uuid": "9118b659-e299-49c8-ae7b-3dccbe3b14d1", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "0fe897b9-56fe-48c2-8d83-119b590eabf8", - "description": "Add control implementation description here for statement cp-2_smt.h" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ff9897b6-88bd-4a31-8709-f4b4e0199272", + "description": "Add control implementation description here for control sr-2.1" } ] } ] }, { - "uuid": "02743026-5a66-435d-a620-b49653fa4e1d", - "control-id": "cp-3", + "uuid": "02329263-11c8-430b-a90a-6fea6f553f22", + "control-id": "sr-3", "statements": [ { - "statement-id": "cp-3_smt.a", - "uuid": "295c0fa3-c402-4291-a3a1-2c34a91079bd", + "statement-id": "sr-3_smt.a", + "uuid": "60ae9c1a-7c26-4108-a30d-844e88366bd4", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7e643e32-e154-4a15-ac3c-2b7ec43bcf27", + "description": "Add control implementation description here for item sr-3_smt.a" + } + ] + }, + { + "statement-id": "sr-3_smt.b", + "uuid": "75d1f282-a944-436f-8ad4-996414728c53", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "5f28b59f-8710-43c3-807f-ba59d0f46aba", + "description": "Add control implementation description here for item sr-3_smt.b" + } + ] + }, + { + "statement-id": "sr-3_smt.c", + "uuid": "027b6af8-e794-4304-970e-fab7b19c93e5", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "48a35488-9162-4533-bd1f-2180b664ddcb", - "description": "Add control implementation description here for statement cp-3_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "7fac3f44-aedc-4f1d-9015-b06d9fdbf196", + "description": "Add control implementation description here for item sr-3_smt.c" } ] } ] }, { - "uuid": "62899d5a-690d-49a8-b8bf-15951f3a9533", - "control-id": "cp-3", + "uuid": "e0ded988-4edc-4180-8827-0f4bc9025a33", + "control-id": "sr-5", "statements": [ { - "statement-id": "cp-3_smt.b", - "uuid": "b72f585f-28d4-4652-bc99-62d50365e9ad", + "statement-id": "sr-5_smt", + "uuid": "f638b9a7-e8fe-44b6-b6b2-ca33fa3fd19a", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "52848bf7-d8df-4724-9a13-a581c4baef38", - "description": "Add control implementation description here for statement cp-3_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "6dc30571-0fe9-4835-b039-b3ca9aa969fe", + "description": "Add control implementation description here for control sr-5" } ] } ] }, { - "uuid": "0118b640-62b6-45a0-a838-d58fa461cbc0", - "control-id": "cp-4", + "uuid": "30390c5b-2c2c-45c5-a857-166d44ca6912", + "control-id": "sr-8", "statements": [ { - "statement-id": "cp-4_smt.a", - "uuid": "a2eb35f8-9571-4daa-a7d8-7deb7f9ccef0", + "statement-id": "sr-8_smt", + "uuid": "fe0a36c8-9e2b-4f45-8cc2-e271c4f2b47d", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "b5aace2e-3684-484d-b3f1-00c9d39c081e", - "description": "Add control implementation description here for statement cp-4_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "87b328d9-c1f2-40e7-8675-712e23582ce6", + "description": "Add control implementation description here for control sr-8" } ] } ] }, { - "uuid": "fc018edf-793f-4c53-8189-f759796c4fe7", - "control-id": "cp-4", + "uuid": "50a381ac-f409-442a-a613-043459f5b6e0", + "control-id": "sr-10", "statements": [ { - "statement-id": "cp-4_smt.b", - "uuid": "90b650aa-aaeb-4128-b1c8-6a1e0ed1d75d", + "statement-id": "sr-10_smt", + "uuid": "43f28511-dfbc-46a2-bcff-b0646c76e55f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "45af25d1-80a1-45e4-a179-1d2adf3483aa", - "description": "Add control implementation description here for statement cp-4_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "81194a9f-be9f-4127-8404-659f12a56a8f", + "description": "Add control implementation description here for control sr-10" } ] } ] }, { - "uuid": "230ceccc-4911-4823-b907-14a56174ce96", - "control-id": "cp-4", + "uuid": "b89cd41e-80cb-411a-887d-1238f0f4ec5e", + "control-id": "sr-11", "statements": [ { - "statement-id": "cp-4_smt.c", - "uuid": "774e5220-aa5f-4cbc-9450-ce91a48041d1", + "statement-id": "sr-11_smt.a", + "uuid": "bb9ebac8-2334-4a56-94c2-1fc8fa0ffff6", + "by-components": [ + { + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fbd74ec4-5d91-46d2-8b2e-66c8cbf8de5f", + "description": "Add control implementation description here for item sr-11_smt.a" + } + ] + }, + { + "statement-id": "sr-11_smt.b", + "uuid": "7efac7d1-dac9-4866-bf83-5db812f0c2a3", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "aed142ed-ed9b-4edf-9920-880609af909d", - "description": "Add control implementation description here for statement cp-4_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "319d5b21-4c42-4453-869e-93acf84d41df", + "description": "Add control implementation description here for item sr-11_smt.b" } ] } ] }, { - "uuid": "a29849b0-1702-46b3-a74d-1b6703de71ad", - "control-id": "cp-1", + "uuid": "c91216de-9333-440d-bb53-7d93b0e006f5", + "control-id": "sr-11.1", "statements": [ { - "statement-id": "cp-1_smt.a", - "uuid": "55a6f5b2-e887-4724-af16-635ac2cc3328", + "statement-id": "sr-11.1_smt", + "uuid": "b4ca654a-76bc-4745-94e2-e81bff6aa653", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "09758611-c67f-47fd-977b-d4944f223a61", - "description": "Add control implementation description here for statement cp-1_smt.a" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "0b8dcd0b-0a1a-4014-b3f3-4a220cfe37c6", + "description": "Add control implementation description here for control sr-11.1" } ] } ] }, { - "uuid": "c74f12e1-48c9-479b-a125-800433dac3c6", - "control-id": "cp-1", + "uuid": "ace10183-f379-498d-be41-390598a2c5d4", + "control-id": "sr-11.2", "statements": [ { - "statement-id": "cp-1_smt.b", - "uuid": "3ed724d3-7775-4000-bd0a-3a92abb65665", + "statement-id": "sr-11.2_smt", + "uuid": "c9a2a3e4-a0ca-40e2-b24c-b6f56b50803f", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "44a6217d-931f-49be-981d-02384d5147be", - "description": "Add control implementation description here for statement cp-1_smt.b" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "ff8550fe-4cf2-418f-9167-b6f23b396346", + "description": "Add control implementation description here for control sr-11.2" } ] } ] }, { - "uuid": "476b969b-3561-461a-bfd6-65227812fb81", - "control-id": "cp-1", + "uuid": "9744de97-659f-4235-9125-94b63d6183a1", + "control-id": "sr-12", "statements": [ { - "statement-id": "cp-1_smt.c", - "uuid": "46ea39e2-b27d-4493-a1c8-5bf48de58208", + "statement-id": "sr-12_smt", + "uuid": "53b45ccb-db1b-4a94-ad00-acb735700a75", "by-components": [ { - "component-uuid": "67e4c611-e270-4dd4-9c0a-abb329132e47", - "uuid": "52321655-3eb3-48dd-8fce-0c682ac30aa5", - "description": "Add control implementation description here for statement cp-1_smt.c" + "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "fb968d28-b2a0-4dfc-a191-6d01db4f2f44", + "description": "Add control implementation description here for control sr-12" } ] } diff --git a/ssp_author_demo/test_system/ac/ac-1.md b/ssp_author_demo/test_system/ac/ac-1.md index 400631c..810afe8 100644 --- a/ssp_author_demo/test_system/ac/ac-1.md +++ b/ssp_author_demo/test_system/ac/ac-1.md @@ -1,3 +1,9 @@ +--- +sort-id: ac-01 +x-trestle-sections: + guidance: Control Guidance +--- + # ac-1 - Access Control Policy and Procedures ## Control Description diff --git a/ssp_author_demo/test_system/ac/ac-14.md b/ssp_author_demo/test_system/ac/ac-14.md index dded9b5..4c106c8 100644 --- a/ssp_author_demo/test_system/ac/ac-14.md +++ b/ssp_author_demo/test_system/ac/ac-14.md @@ -1,24 +1,37 @@ -# ac-14 - Access Control Permitted Actions Without Identification or Authentication +--- +sort-id: ac-14 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-14 - \[Access Control\] Permitted Actions Without Identification or Authentication + +## Control Statement + +- \[a.\] Identify organization-defined user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and -- \[a.\] Identify \[ac-14_prm_1 = organization-defined user actions\] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and - \[b.\] Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. +## Control Control Guidance + +Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none." + ______________________________________________________________________ -## ac-14 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-14_smt.a +Add control implementation description here for item ac-14_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-14_smt.b +Add control implementation description here for item ac-14_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-17.md b/ssp_author_demo/test_system/ac/ac-17.md index 105aa7d..ebcb6a8 100644 --- a/ssp_author_demo/test_system/ac/ac-17.md +++ b/ssp_author_demo/test_system/ac/ac-17.md @@ -1,24 +1,37 @@ -# ac-17 - Access Control Remote Access +--- +sort-id: ac-17 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-17 - \[Access Control\] Remote Access + +## Control Statement - \[a.\] Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and + - \[b.\] Authorize each type of remote access to the system prior to allowing such connections. +## Control Control Guidance + +Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3). Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3). + ______________________________________________________________________ -## ac-17 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-17_smt.a +Add control implementation description here for item ac-17_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-17_smt.b +Add control implementation description here for item ac-17_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-18.md b/ssp_author_demo/test_system/ac/ac-18.md index 0f238db..bc69dab 100644 --- a/ssp_author_demo/test_system/ac/ac-18.md +++ b/ssp_author_demo/test_system/ac/ac-18.md @@ -1,24 +1,37 @@ -# ac-18 - Access Control Wireless Access +--- +sort-id: ac-18 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-18 - \[Access Control\] Wireless Access + +## Control Statement - \[a.\] Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and + - \[b.\] Authorize each type of wireless access to the system prior to allowing such connections. +## Control Control Guidance + +Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication. + ______________________________________________________________________ -## ac-18 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-18_smt.a +Add control implementation description here for item ac-18_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-18_smt.b +Add control implementation description here for item ac-18_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-19.md b/ssp_author_demo/test_system/ac/ac-19.md index 47a5854..69fbc80 100644 --- a/ssp_author_demo/test_system/ac/ac-19.md +++ b/ssp_author_demo/test_system/ac/ac-19.md @@ -1,24 +1,41 @@ -# ac-19 - Access Control Access Control for Mobile Devices +--- +sort-id: ac-19 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-19 - \[Access Control\] Access Control for Mobile Devices + +## Control Statement - \[a.\] Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and + - \[b.\] Authorize the connection of mobile devices to organizational systems. +## Control Control Guidance + +A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. + +Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. + +Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19). Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled. + ______________________________________________________________________ -## ac-19 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-19_smt.a +Add control implementation description here for item ac-19_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-19_smt.b +Add control implementation description here for item ac-19_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-2.md b/ssp_author_demo/test_system/ac/ac-2.md index 9857a7b..7644f31 100644 --- a/ssp_author_demo/test_system/ac/ac-2.md +++ b/ssp_author_demo/test_system/ac/ac-2.md @@ -1,117 +1,133 @@ -# ac-2 - Access Control Account Management +--- +sort-id: ac-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-2 - \[Access Control\] Account Management + +## Control Statement - \[a.\] Define and document the types of accounts allowed and specifically prohibited for use within the system; - \[b.\] Assign account managers; -- \[c.\] Require \[ac-2_prm_1 = organization-defined prerequisites and criteria\] for group and role membership; +- \[c.\] Require organization-defined prerequisites and criteria for group and role membership; - \[d.\] Specify: - \[1.\] Authorized users of the system; - \[2.\] Group and role membership; and - - \[3.\] Access authorizations (i.e., privileges) and \[ac-2_prm_2 = organization-defined attributes (as required)\] for each account; + - \[3.\] Access authorizations (i.e., privileges) and organization-defined attributes (as required) for each account; -- \[e.\] Require approvals by \[ac-2_prm_3 = organization-defined personnel or roles\] for requests to create accounts; +- \[e.\] Require approvals by organization-defined personnel or roles for requests to create accounts; -- \[f.\] Create, enable, modify, disable, and remove accounts in accordance with \[ac-2_prm_4 = organization-defined policy, procedures, prerequisites, and criteria\]; +- \[f.\] Create, enable, modify, disable, and remove accounts in accordance with organization-defined policy, procedures, prerequisites, and criteria; - \[g.\] Monitor the use of accounts; -- \[h.\] Notify account managers and \[ac-2_prm_5 = organization-defined personnel or roles\] within: +- \[h.\] Notify account managers and organization-defined personnel or roles within: - - \[1.\] \[ac-2_prm_6 = organization-defined time period\] when accounts are no longer required; - - \[2.\] \[ac-2_prm_7 = organization-defined time period\] when users are terminated or transferred; and - - \[3.\] \[ac-2_prm_8 = organization-defined time period\] when system usage or need-to-know changes for an individual; + - \[1.\] organization-defined time period when accounts are no longer required; + - \[2.\] organization-defined time period when users are terminated or transferred; and + - \[3.\] organization-defined time period when system usage or need-to-know changes for an individual; - \[i.\] Authorize access to the system based on: - \[1.\] A valid access authorization; - \[2.\] Intended system usage; and - - \[3.\] \[ac-2_prm_9 = organization-defined attributes (as required)\]; + - \[3.\] organization-defined attributes (as required); -- \[j.\] Review accounts for compliance with account management requirements \[ac-2_prm_1 = organization-defined prerequisites and criteria\]0; +- \[j.\] Review accounts for compliance with account management requirements organization-defined frequency; - \[k.\] Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and - \[l.\] Align account management processes with personnel termination and transfer processes. +## Control Control Guidance + +Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts. + +Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. + +Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training. + ______________________________________________________________________ -## ac-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-2_smt.a +Add control implementation description here for item ac-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-2_smt.b +Add control implementation description here for item ac-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ac-2_smt.c +Add control implementation description here for item ac-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ac-2_smt.d +Add control implementation description here for item ac-2_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ac-2_smt.e +Add control implementation description here for item ac-2_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ac-2_smt.f +Add control implementation description here for item ac-2_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement ac-2_smt.g +Add control implementation description here for item ac-2_smt.g ______________________________________________________________________ -### Part h. +## Implementation h. -Add control implementation description here for statement ac-2_smt.h +Add control implementation description here for item ac-2_smt.h ______________________________________________________________________ -### Part i. +## Implementation i. -Add control implementation description here for statement ac-2_smt.i +Add control implementation description here for item ac-2_smt.i ______________________________________________________________________ -### Part j. +## Implementation j. -Add control implementation description here for statement ac-2_smt.j +Add control implementation description here for item ac-2_smt.j ______________________________________________________________________ -### Part k. +## Implementation k. -Add control implementation description here for statement ac-2_smt.k +Add control implementation description here for item ac-2_smt.k ______________________________________________________________________ -### Part l. +## Implementation l. -Add control implementation description here for statement ac-2_smt.l +Add control implementation description here for item ac-2_smt.l ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-20.md b/ssp_author_demo/test_system/ac/ac-20.md index df34225..487719d 100644 --- a/ssp_author_demo/test_system/ac/ac-20.md +++ b/ssp_author_demo/test_system/ac/ac-20.md @@ -1,28 +1,44 @@ -# ac-20 - Access Control Use of External Systems +--- +sort-id: ac-20 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-20 - \[Access Control\] Use of External Systems -- \[a.\] \[ac-20_prm_1 = one-or-more \['Establish \[ac-20_prm_2 = organization-defined terms and conditions\] ', 'Identify \[ac-20_prm_3 = organization-defined controls asserted to be implemented on external systems\] '\]\], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: +## Control Statement + +- \[a.\] Establish {{ insert: param, ac-20_prm_2 }} ; Identify {{ insert: param, ac-20_prm_3 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: - \[1.\] Access the system from external systems; and - \[2.\] Process, store, or transmit organization-controlled information using external systems; or -- \[b.\] Prohibit the use of \[ac-20_prm_4 = organizationally-defined types of external systems\]. +- \[b.\] Prohibit the use of organizationally-defined types of external systems. + +## Control Control Guidance + +External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems). + +For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. + +External systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20). Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. ______________________________________________________________________ -## ac-20 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-20_smt.a +Add control implementation description here for item ac-20_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-20_smt.b +Add control implementation description here for item ac-20_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-22.md b/ssp_author_demo/test_system/ac/ac-22.md index c9b2b99..6e4449f 100644 --- a/ssp_author_demo/test_system/ac/ac-22.md +++ b/ssp_author_demo/test_system/ac/ac-22.md @@ -1,38 +1,53 @@ -# ac-22 - Access Control Publicly Accessible Content +--- +sort-id: ac-22 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-22 - \[Access Control\] Publicly Accessible Content + +## Control Statement - \[a.\] Designate individuals authorized to make information publicly accessible; + - \[b.\] Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; + - \[c.\] Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and -- \[d.\] Review the content on the publicly accessible system for nonpublic information \[ac-22_prm_1 = organization-defined frequency\] and remove such information, if discovered. + +- \[d.\] Review the content on the publicly accessible system for nonpublic information organization-defined frequency and remove such information, if discovered. + +## Control Control Guidance + +In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible. ______________________________________________________________________ -## ac-22 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-22_smt.a +Add control implementation description here for item ac-22_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-22_smt.b +Add control implementation description here for item ac-22_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ac-22_smt.c +Add control implementation description here for item ac-22_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ac-22_smt.d +Add control implementation description here for item ac-22_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-3.md b/ssp_author_demo/test_system/ac/ac-3.md index 6cfb519..3a86345 100644 --- a/ssp_author_demo/test_system/ac/ac-3.md +++ b/ssp_author_demo/test_system/ac/ac-3.md @@ -1,11 +1,23 @@ -# ac-3 - Access Control Access Enforcement +--- +sort-id: ac-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-3 - \[Access Control\] Access Enforcement -- Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +## Control Statement + +Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + +## Control Control Guidance + +Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ([PE](#pe)) family. ______________________________________________________________________ -## ac-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ac-3 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-7.md b/ssp_author_demo/test_system/ac/ac-7.md index 724ae74..7d62f5c 100644 --- a/ssp_author_demo/test_system/ac/ac-7.md +++ b/ssp_author_demo/test_system/ac/ac-7.md @@ -1,24 +1,37 @@ -# ac-7 - Access Control Unsuccessful Logon Attempts +--- +sort-id: ac-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-7 - \[Access Control\] Unsuccessful Logon Attempts -- \[a.\] Enforce a limit of \[ac-7_prm_1 = organization-defined number\] consecutive invalid logon attempts by a user during a \[ac-7_prm_2 = organization-defined time period\]; and -- \[b.\] Automatically \[ac-7_prm_3 = one-or-more \['lock the account or node for an \[ac-7_prm_4 = organization-defined time period\] ', 'lock the account or node until released by an administrator', 'delay next logon prompt per \[ac-7_prm_5 = organization-defined delay algorithm\] ', 'notify system administrator', 'take other \[ac-7_prm_6 = organization-defined action\] '\]\] when the maximum number of unsuccessful attempts is exceeded. +## Control Statement + +- \[a.\] Enforce a limit of organization-defined number consecutive invalid logon attempts by a user during a organization-defined time period; and + +- \[b.\] Automatically lock the account or node for an {{ insert: param, ac-7_prm_4 }} ; lock the account or node until released by an administrator; delay next logon prompt per {{ insert: param, ac-7_prm_5 }} ; notify system administrator; take other {{ insert: param, ac-7_prm_6 }} when the maximum number of unsuccessful attempts is exceeded. + +## Control Control Guidance + +The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need. ______________________________________________________________________ -## ac-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-7_smt.a +Add control implementation description here for item ac-7_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-7_smt.b +Add control implementation description here for item ac-7_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-8.md b/ssp_author_demo/test_system/ac/ac-8.md index 3acbd58..74aff27 100644 --- a/ssp_author_demo/test_system/ac/ac-8.md +++ b/ssp_author_demo/test_system/ac/ac-8.md @@ -1,8 +1,14 @@ -# ac-8 - Access Control System Use Notification +--- +sort-id: ac-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ac-8 - \[Access Control\] System Use Notification -- \[a.\] Display \[ac-8_prm_1 = organization-defined system use notification message or banner\] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: +## Control Statement + +- \[a.\] Display organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: - \[1.\] Users are accessing a U.S. Government system; - \[2.\] System usage may be monitored, recorded, and subject to audit; @@ -13,30 +19,36 @@ - \[c.\] For publicly accessible systems: - - \[1.\] Display system use information \[ac-8_prm_2 = organization-defined conditions\], before granting further access to the publicly accessible system; + - \[1.\] Display system use information organization-defined conditions, before granting further access to the publicly accessible system; - \[2.\] Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - \[3.\] Include a description of the authorized uses of the system. +## Control Control Guidance + +System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content. + ______________________________________________________________________ -## ac-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ac-8_smt.a +Add control implementation description here for item ac-8_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-8_smt.b +Add control implementation description here for item ac-8_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ac-8_smt.c +Add control implementation description here for item ac-8_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/at/at-1.md b/ssp_author_demo/test_system/at/at-1.md index 1aa18ab..47afb64 100644 --- a/ssp_author_demo/test_system/at/at-1.md +++ b/ssp_author_demo/test_system/at/at-1.md @@ -1,43 +1,55 @@ -# at-1 - Awareness and Training Policy and Procedures +--- +sort-id: at-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# at-1 - \[Awareness and Training\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[at-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[at-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] awareness and training policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level awareness and training policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; -- \[b.\] Designate an \[at-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and - \[c.\] Review and update the current awareness and training: - - \[1.\] Policy \[at-1_prm_4 = organization-defined frequency\] and following \[at-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[at-1_prm_6 = organization-defined frequency\] and following \[at-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## at-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement at-1_smt.a +Add control implementation description here for item at-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement at-1_smt.b +Add control implementation description here for item at-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement at-1_smt.c +Add control implementation description here for item at-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/at/at-2.2.md b/ssp_author_demo/test_system/at/at-2.2.md index 4132df9..9c168d3 100644 --- a/ssp_author_demo/test_system/at/at-2.2.md +++ b/ssp_author_demo/test_system/at/at-2.2.md @@ -1,11 +1,23 @@ -# at-2.2 - Awareness and Training Insider Threat +--- +sort-id: at-02.02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# at-2.2 - \[Awareness and Training\] Insider Threat -- Provide literacy training on recognizing and reporting potential indicators of insider threat. +## Control Statement + +Provide literacy training on recognizing and reporting potential indicators of insider threat. + +## Control Control Guidance + +Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations. ______________________________________________________________________ -## at-2.2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control at-2.2 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/at/at-2.md b/ssp_author_demo/test_system/at/at-2.md index 0150eb4..d727d7f 100644 --- a/ssp_author_demo/test_system/at/at-2.md +++ b/ssp_author_demo/test_system/at/at-2.md @@ -1,44 +1,58 @@ -# at-2 - Awareness and Training Literacy Training and Awareness +--- +sort-id: at-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# at-2 - \[Awareness and Training\] Literacy Training and Awareness + +## Control Statement - \[a.\] Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): - - \[1.\] As part of initial training for new users and \[at-2_prm_1 = organization-defined frequency\] thereafter; and - - \[2.\] When required by system changes or following \[at-2_prm_2 = organization-defined events\]; + - \[1.\] As part of initial training for new users and organization-defined frequency thereafter; and + - \[2.\] When required by system changes or following organization-defined events; -- \[b.\] Employ the following techniques to increase the security and privacy awareness of system users \[at-2_prm_3 = organization-defined awareness techniques\]; +- \[b.\] Employ the following techniques to increase the security and privacy awareness of system users organization-defined awareness techniques; -- \[c.\] Update literacy training and awareness content \[at-2_prm_4 = organization-defined frequency\] and following \[at-2_prm_5 = organization-defined events\]; and +- \[c.\] Update literacy training and awareness content organization-defined frequency and following organization-defined events; and - \[d.\] Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. +## Control Control Guidance + +Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. + +Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. + ______________________________________________________________________ -## at-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement at-2_smt.a +Add control implementation description here for item at-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement at-2_smt.b +Add control implementation description here for item at-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement at-2_smt.c +Add control implementation description here for item at-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement at-2_smt.d +Add control implementation description here for item at-2_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/at/at-3.md b/ssp_author_demo/test_system/at/at-3.md index 6547d60..2e676de 100644 --- a/ssp_author_demo/test_system/at/at-3.md +++ b/ssp_author_demo/test_system/at/at-3.md @@ -1,36 +1,50 @@ -# at-3 - Awareness and Training Role-based Training +--- +sort-id: at-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# at-3 - \[Awareness and Training\] Role-based Training -- \[a.\] Provide role-based security and privacy training to personnel with the following roles and responsibilities: \[at-3_prm_1 = organization-defined roles and responsibilities\]: +## Control Statement - - \[1.\] Before authorizing access to the system, information, or performing assigned duties, and \[at-3_prm_2 = organization-defined frequency\] thereafter; and +- \[a.\] Provide role-based security and privacy training to personnel with the following roles and responsibilities: organization-defined roles and responsibilities: + + - \[1.\] Before authorizing access to the system, information, or performing assigned duties, and organization-defined frequency thereafter; and - \[2.\] When required by system changes; -- \[b.\] Update role-based training content \[at-3_prm_3 = organization-defined frequency\] and following \[at-3_prm_4 = organization-defined events\]; and +- \[b.\] Update role-based training content organization-defined frequency and following organization-defined events; and - \[c.\] Incorporate lessons learned from internal or external security incidents or breaches into role-based training. +## Control Control Guidance + +Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information. + +Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. + ______________________________________________________________________ -## at-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement at-3_smt.a +Add control implementation description here for item at-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement at-3_smt.b +Add control implementation description here for item at-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement at-3_smt.c +Add control implementation description here for item at-3_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/at/at-4.md b/ssp_author_demo/test_system/at/at-4.md index b70fc05..69a59c6 100644 --- a/ssp_author_demo/test_system/at/at-4.md +++ b/ssp_author_demo/test_system/at/at-4.md @@ -1,24 +1,37 @@ -# at-4 - Awareness and Training Training Records +--- +sort-id: at-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# at-4 - \[Awareness and Training\] Training Records + +## Control Statement - \[a.\] Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and -- \[b.\] Retain individual training records for \[at-4_prm_1 = organization-defined time period\]. + +- \[b.\] Retain individual training records for organization-defined time period. + +## Control Control Guidance + +Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies. ______________________________________________________________________ -## at-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement at-4_smt.a +Add control implementation description here for item at-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement at-4_smt.b +Add control implementation description here for item at-4_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-1.md b/ssp_author_demo/test_system/au/au-1.md index 547afd3..5bad678 100644 --- a/ssp_author_demo/test_system/au/au-1.md +++ b/ssp_author_demo/test_system/au/au-1.md @@ -1,43 +1,55 @@ -# au-1 - Audit and Accountability Policy and Procedures +--- +sort-id: au-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-1 - \[Audit and Accountability\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[au-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[au-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] audit and accountability policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level audit and accountability policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; -- \[b.\] Designate an \[au-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and - \[c.\] Review and update the current audit and accountability: - - \[1.\] Policy \[au-1_prm_4 = organization-defined frequency\] and following \[au-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[au-1_prm_6 = organization-defined frequency\] and following \[au-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## au-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-1_smt.a +Add control implementation description here for item au-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-1_smt.b +Add control implementation description here for item au-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement au-1_smt.c +Add control implementation description here for item au-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-11.md b/ssp_author_demo/test_system/au/au-11.md index 1c408e5..4dfddaf 100644 --- a/ssp_author_demo/test_system/au/au-11.md +++ b/ssp_author_demo/test_system/au/au-11.md @@ -1,11 +1,23 @@ -# au-11 - Audit and Accountability Audit Record Retention +--- +sort-id: au-11 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-11 - \[Audit and Accountability\] Audit Record Retention -- Retain audit records for \[au-11_prm_1 = organization-defined time period consistent with records retention policy\] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. +## Control Statement + +Retain audit records for organization-defined time period consistent with records retention policy to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + +## Control Control Guidance + +Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention. ______________________________________________________________________ -## au-11 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control au-11 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-12.md b/ssp_author_demo/test_system/au/au-12.md index 9b4eaed..5eb54cc 100644 --- a/ssp_author_demo/test_system/au/au-12.md +++ b/ssp_author_demo/test_system/au/au-12.md @@ -1,31 +1,45 @@ -# au-12 - Audit and Accountability Audit Record Generation +--- +sort-id: au-12 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-12 - \[Audit and Accountability\] Audit Record Generation + +## Control Statement + +- \[a.\] Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on organization-defined system components; + +- \[b.\] Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system; and -- \[a.\] Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on \[au-12_prm_1 = organization-defined system components\]; -- \[b.\] Allow \[au-12_prm_2 = organization-defined personnel or roles\] to select the event types that are to be logged by specific components of the system; and - \[c.\] Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3). +## Control Control Guidance + +Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. + ______________________________________________________________________ -## au-12 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-12_smt.a +Add control implementation description here for item au-12_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-12_smt.b +Add control implementation description here for item au-12_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement au-12_smt.c +Add control implementation description here for item au-12_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-2.md b/ssp_author_demo/test_system/au/au-2.md index 91ea64f..8ea9d43 100644 --- a/ssp_author_demo/test_system/au/au-2.md +++ b/ssp_author_demo/test_system/au/au-2.md @@ -1,45 +1,65 @@ -# au-2 - Audit and Accountability Event Logging +--- +sort-id: au-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-2 - \[Audit and Accountability\] Event Logging + +## Control Statement + +- \[a.\] Identify the types of events that the system is capable of logging in support of the audit function: organization-defined event types that the system is capable of logging; -- \[a.\] Identify the types of events that the system is capable of logging in support of the audit function: \[au-2_prm_1 = organization-defined event types that the system is capable of logging\]; - \[b.\] Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; -- \[c.\] Specify the following event types for logging within the system: \[au-2_prm_2 = organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type\]; + +- \[c.\] Specify the following event types for logging within the system: organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type; + - \[d.\] Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and -- \[e.\] Review and update the event types selected for logging \[au-2_prm_3 = organization-defined frequency\]. + +- \[e.\] Review and update the event types selected for logging organization-defined frequency. + +## Control Control Guidance + +An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. + +To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. + +Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8), and [SI-10(1)](#si-10.1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. ______________________________________________________________________ -## au-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-2_smt.a +Add control implementation description here for item au-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-2_smt.b +Add control implementation description here for item au-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement au-2_smt.c +Add control implementation description here for item au-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement au-2_smt.d +Add control implementation description here for item au-2_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement au-2_smt.e +Add control implementation description here for item au-2_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-3.md b/ssp_author_demo/test_system/au/au-3.md index aafadb7..448e1fb 100644 --- a/ssp_author_demo/test_system/au/au-3.md +++ b/ssp_author_demo/test_system/au/au-3.md @@ -1,54 +1,71 @@ -# au-3 - Audit and Accountability Content of Audit Records +--- +sort-id: au-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-3 - \[Audit and Accountability\] Content of Audit Records -- Ensure that audit records contain information that establishes the following: +## Control Statement - - \[a.\] What type of event occurred; - - \[b.\] When the event occurred; - - \[c.\] Where the event occurred; - - \[d.\] Source of the event; - - \[e.\] Outcome of the event; and - - \[f.\] Identity of any individuals, subjects, or objects/entities associated with the event. +Ensure that audit records contain information that establishes the following: + +- \[a.\] What type of event occurred; + +- \[b.\] When the event occurred; + +- \[c.\] Where the event occurred; + +- \[d.\] Source of the event; + +- \[e.\] Outcome of the event; and + +- \[f.\] Identity of any individuals, subjects, or objects/entities associated with the event. + +## Control Control Guidance + +Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage. ______________________________________________________________________ -## au-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-3_smt.a +Add control implementation description here for item au-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-3_smt.b +Add control implementation description here for item au-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement au-3_smt.c +Add control implementation description here for item au-3_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement au-3_smt.d +Add control implementation description here for item au-3_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement au-3_smt.e +Add control implementation description here for item au-3_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement au-3_smt.f +Add control implementation description here for item au-3_smt.f ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-4.md b/ssp_author_demo/test_system/au/au-4.md index 9bfa14f..1fde1e9 100644 --- a/ssp_author_demo/test_system/au/au-4.md +++ b/ssp_author_demo/test_system/au/au-4.md @@ -1,11 +1,23 @@ -# au-4 - Audit and Accountability Audit Log Storage Capacity +--- +sort-id: au-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-4 - \[Audit and Accountability\] Audit Log Storage Capacity -- Allocate audit log storage capacity to accommodate \[au-4_prm_1 = organization-defined audit log retention requirements\]. +## Control Statement + +Allocate audit log storage capacity to accommodate organization-defined audit log retention requirements. + +## Control Control Guidance + +Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. ______________________________________________________________________ -## au-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control au-4 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-5.md b/ssp_author_demo/test_system/au/au-5.md index 39512b0..441e4d3 100644 --- a/ssp_author_demo/test_system/au/au-5.md +++ b/ssp_author_demo/test_system/au/au-5.md @@ -1,24 +1,37 @@ -# au-5 - Audit and Accountability Response to Audit Logging Process Failures +--- +sort-id: au-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-5 - \[Audit and Accountability\] Response to Audit Logging Process Failures -- \[a.\] Alert \[au-5_prm_1 = organization-defined personnel or roles\] within \[au-5_prm_2 = organization-defined time period\] in the event of an audit logging process failure; and -- \[b.\] Take the following additional actions: \[au-5_prm_3 = organization-defined additional actions\]. +## Control Statement + +- \[a.\] Alert organization-defined personnel or roles within organization-defined time period in the event of an audit logging process failure; and + +- \[b.\] Take the following additional actions: organization-defined additional actions. + +## Control Control Guidance + +Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel. ______________________________________________________________________ -## au-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-5_smt.a +Add control implementation description here for item au-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-5_smt.b +Add control implementation description here for item au-5_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-6.md b/ssp_author_demo/test_system/au/au-6.md index 71ce677..db0da73 100644 --- a/ssp_author_demo/test_system/au/au-6.md +++ b/ssp_author_demo/test_system/au/au-6.md @@ -1,31 +1,45 @@ -# au-6 - Audit and Accountability Audit Record Review, Analysis, and Reporting +--- +sort-id: au-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-6 - \[Audit and Accountability\] Audit Record Review, Analysis, and Reporting + +## Control Statement + +- \[a.\] Review and analyze system audit records organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity; + +- \[b.\] Report findings to organization-defined personnel or roles; and -- \[a.\] Review and analyze system audit records \[au-6_prm_1 = organization-defined frequency\] for indications of \[au-6_prm_2 = organization-defined inappropriate or unusual activity\] and the potential impact of the inappropriate or unusual activity; -- \[b.\] Report findings to \[au-6_prm_3 = organization-defined personnel or roles\]; and - \[c.\] Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. +## Control Control Guidance + +Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. + ______________________________________________________________________ -## au-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-6_smt.a +Add control implementation description here for item au-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-6_smt.b +Add control implementation description here for item au-6_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement au-6_smt.c +Add control implementation description here for item au-6_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-8.md b/ssp_author_demo/test_system/au/au-8.md index 2256ff9..9786bcb 100644 --- a/ssp_author_demo/test_system/au/au-8.md +++ b/ssp_author_demo/test_system/au/au-8.md @@ -1,24 +1,37 @@ -# au-8 - Audit and Accountability Time Stamps +--- +sort-id: au-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-8 - \[Audit and Accountability\] Time Stamps + +## Control Statement - \[a.\] Use internal system clocks to generate time stamps for audit records; and -- \[b.\] Record time stamps for audit records that meet \[au-8_prm_1 = organization-defined granularity of time measurement\] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + +- \[b.\] Record time stamps for audit records that meet organization-defined granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + +## Control Control Guidance + +Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. ______________________________________________________________________ -## au-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-8_smt.a +Add control implementation description here for item au-8_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-8_smt.b +Add control implementation description here for item au-8_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/au/au-9.md b/ssp_author_demo/test_system/au/au-9.md index 8b52549..54d5bbd 100644 --- a/ssp_author_demo/test_system/au/au-9.md +++ b/ssp_author_demo/test_system/au/au-9.md @@ -1,24 +1,37 @@ -# au-9 - Audit and Accountability Protection of Audit Information +--- +sort-id: au-09 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# au-9 - \[Audit and Accountability\] Protection of Audit Information + +## Control Statement - \[a.\] Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and -- \[b.\] Alert \[au-9_prm_1 = organization-defined personnel or roles\] upon detection of unauthorized access, modification, or deletion of audit information. + +- \[b.\] Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. + +## Control Control Guidance + +Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. ______________________________________________________________________ -## au-9 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement au-9_smt.a +Add control implementation description here for item au-9_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement au-9_smt.b +Add control implementation description here for item au-9_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-1.md b/ssp_author_demo/test_system/ca/ca-1.md index efc34cc..016d5be 100644 --- a/ssp_author_demo/test_system/ca/ca-1.md +++ b/ssp_author_demo/test_system/ca/ca-1.md @@ -1,43 +1,55 @@ -# ca-1 - Assessment, Authorization, and Monitoring Policy and Procedures +--- +sort-id: ca-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-1 - \[Assessment, Authorization, and Monitoring\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[ca-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[ca-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] assessment, authorization, and monitoring policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level assessment, authorization, and monitoring policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; -- \[b.\] Designate an \[ca-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and - \[c.\] Review and update the current assessment, authorization, and monitoring: - - \[1.\] Policy \[ca-1_prm_4 = organization-defined frequency\] and following \[ca-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[ca-1_prm_6 = organization-defined frequency\] and following \[ca-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## ca-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-1_smt.a +Add control implementation description here for item ca-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-1_smt.b +Add control implementation description here for item ca-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ca-1_smt.c +Add control implementation description here for item ca-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-2.md b/ssp_author_demo/test_system/ca/ca-2.md index 4e9903b..fbe4a02 100644 --- a/ssp_author_demo/test_system/ca/ca-2.md +++ b/ssp_author_demo/test_system/ca/ca-2.md @@ -1,6 +1,12 @@ -# ca-2 - Assessment, Authorization, and Monitoring Control Assessments +--- +sort-id: ca-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-2 - \[Assessment, Authorization, and Monitoring\] Control Assessments + +## Control Statement - \[a.\] Select the appropriate assessor or assessment team for the type of assessment to be conducted; @@ -12,50 +18,64 @@ - \[c.\] Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; -- \[d.\] Assess the controls in the system and its environment of operation \[ca-2_prm_1 = organization-defined frequency\] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; +- \[d.\] Assess the controls in the system and its environment of operation organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; - \[e.\] Produce a control assessment report that document the results of the assessment; and -- \[f.\] Provide the results of the control assessment to \[ca-2_prm_2 = organization-defined individuals or roles\]. +- \[f.\] Provide the results of the control assessment to organization-defined individuals or roles. + +## Control Control Guidance + +Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented. + +Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. + +Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. + +Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. + +To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2). ______________________________________________________________________ -## ca-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-2_smt.a +Add control implementation description here for item ca-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-2_smt.b +Add control implementation description here for item ca-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ca-2_smt.c +Add control implementation description here for item ca-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ca-2_smt.d +Add control implementation description here for item ca-2_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ca-2_smt.e +Add control implementation description here for item ca-2_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ca-2_smt.f +Add control implementation description here for item ca-2_smt.f ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-3.md b/ssp_author_demo/test_system/ca/ca-3.md index 3f8d6c7..3948b38 100644 --- a/ssp_author_demo/test_system/ca/ca-3.md +++ b/ssp_author_demo/test_system/ca/ca-3.md @@ -1,31 +1,47 @@ -# ca-3 - Assessment, Authorization, and Monitoring Information Exchange +--- +sort-id: ca-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-3 - \[Assessment, Authorization, and Monitoring\] Information Exchange + +## Control Statement + +- \[a.\] Approve and manage the exchange of information between the system and other systems using interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; {{ insert: param, ca-3_prm_2 }} ; -- \[a.\] Approve and manage the exchange of information between the system and other systems using \[ca-3_prm_1 = one-or-more \['interconnection security agreements', 'information exchange security agreements', 'memoranda of understanding or agreement', 'service level agreements', 'user agreements', 'nondisclosure agreements', ' \[ca-3_prm_2 = organization-defined type of agreement\] '\]\]; - \[b.\] Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and -- \[c.\] Review and update the agreements \[ca-3_prm_3 = organization-defined frequency\]. + +- \[c.\] Review and update the agreements organization-defined frequency. + +## Control Control Guidance + +System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2), may help to communicate and reduce risk. + +Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks. ______________________________________________________________________ -## ca-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-3_smt.a +Add control implementation description here for item ca-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-3_smt.b +Add control implementation description here for item ca-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ca-3_smt.c +Add control implementation description here for item ca-3_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-5.md b/ssp_author_demo/test_system/ca/ca-5.md index 1b374b4..3e1f15e 100644 --- a/ssp_author_demo/test_system/ca/ca-5.md +++ b/ssp_author_demo/test_system/ca/ca-5.md @@ -1,24 +1,37 @@ -# ca-5 - Assessment, Authorization, and Monitoring Plan of Action and Milestones +--- +sort-id: ca-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-5 - \[Assessment, Authorization, and Monitoring\] Plan of Action and Milestones + +## Control Statement - \[a.\] Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and -- \[b.\] Update existing plan of action and milestones \[ca-5_prm_1 = organization-defined frequency\] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. + +- \[b.\] Update existing plan of action and milestones organization-defined frequency based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. + +## Control Control Guidance + +Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB. ______________________________________________________________________ -## ca-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-5_smt.a +Add control implementation description here for item ca-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-5_smt.b +Add control implementation description here for item ca-5_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-6.md b/ssp_author_demo/test_system/ca/ca-6.md index cd8ae53..d347eb2 100644 --- a/ssp_author_demo/test_system/ca/ca-6.md +++ b/ssp_author_demo/test_system/ca/ca-6.md @@ -1,6 +1,12 @@ -# ca-6 - Assessment, Authorization, and Monitoring Authorization +--- +sort-id: ca-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-6 - \[Assessment, Authorization, and Monitoring\] Authorization + +## Control Statement - \[a.\] Assign a senior official as the authorizing official for the system; @@ -13,40 +19,48 @@ - \[d.\] Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; -- \[e.\] Update the authorizations \[ca-6_prm_1 = organization-defined frequency\]. +- \[e.\] Update the authorizations organization-defined frequency. + +## Control Control Guidance + +Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. + +Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. ______________________________________________________________________ -## ca-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-6_smt.a +Add control implementation description here for item ca-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-6_smt.b +Add control implementation description here for item ca-6_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ca-6_smt.c +Add control implementation description here for item ca-6_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ca-6_smt.d +Add control implementation description here for item ca-6_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ca-6_smt.e +Add control implementation description here for item ca-6_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-7.4.md b/ssp_author_demo/test_system/ca/ca-7.4.md index b6f63ae..82d8595 100644 --- a/ssp_author_demo/test_system/ca/ca-7.4.md +++ b/ssp_author_demo/test_system/ca/ca-7.4.md @@ -1,33 +1,47 @@ -# ca-7.4 - Assessment, Authorization, and Monitoring Risk Monitoring +--- +sort-id: ca-07.04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-7.4 - \[Assessment, Authorization, and Monitoring\] Risk Monitoring -- Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: +## Control Statement - - \[(a)\] Effectiveness monitoring; - - \[(b)\] Compliance monitoring; and - - \[(c)\] Change monitoring. +Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: + +- \[(a)\] Effectiveness monitoring; + +- \[(b)\] Compliance monitoring; and + +- \[(c)\] Change monitoring. + +## Control Control Guidance + +Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. ______________________________________________________________________ -## ca-7.4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part (a) +## Implementation (a) -Add control implementation description here for statement ca-7.4_smt.a +Add control implementation description here for item ca-7.4_smt.a ______________________________________________________________________ -### Part (b) +## Implementation (b) -Add control implementation description here for statement ca-7.4_smt.b +Add control implementation description here for item ca-7.4_smt.b ______________________________________________________________________ -### Part (c) +## Implementation (c) -Add control implementation description here for statement ca-7.4_smt.c +Add control implementation description here for item ca-7.4_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-7.md b/ssp_author_demo/test_system/ca/ca-7.md index c82a0ee..0e77873 100644 --- a/ssp_author_demo/test_system/ca/ca-7.md +++ b/ssp_author_demo/test_system/ca/ca-7.md @@ -1,61 +1,81 @@ -# ca-7 - Assessment, Authorization, and Monitoring Continuous Monitoring +--- +sort-id: ca-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-7 - \[Assessment, Authorization, and Monitoring\] Continuous Monitoring -- Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: +## Control Statement - - \[a.\] Establishing the following system-level metrics to be monitored: \[ca-7_prm_1 = organization-defined system-level metrics\]; - - \[b.\] Establishing \[ca-7_prm_2 = organization-defined frequencies\] for monitoring and \[ca-7_prm_3 = organization-defined frequencies\] for assessment of control effectiveness; - - \[c.\] Ongoing control assessments in accordance with the continuous monitoring strategy; - - \[d.\] Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; - - \[e.\] Correlation and analysis of information generated by control assessments and monitoring; - - \[f.\] Response actions to address results of the analysis of control assessment and monitoring information; and - - \[g.\] Reporting the security and privacy status of the system to \[ca-7_prm_4 = organization-defined personnel or roles\] \[ca-7_prm_5 = organization-defined frequency\]. +Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: + +- \[a.\] Establishing the following system-level metrics to be monitored: organization-defined system-level metrics; + +- \[b.\] Establishing organization-defined frequencies for monitoring and organization-defined frequencies for assessment of control effectiveness; + +- \[c.\] Ongoing control assessments in accordance with the continuous monitoring strategy; + +- \[d.\] Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; + +- \[e.\] Correlation and analysis of information generated by control assessments and monitoring; + +- \[f.\] Response actions to address results of the analysis of control assessment and monitoring information; and + +- \[g.\] Reporting the security and privacy status of the system to organization-defined personnel or roles organization-defined frequency. + +## Control Control Guidance + +Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. + +Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), and [SI-4](#si-4). ______________________________________________________________________ -## ca-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-7_smt.a +Add control implementation description here for item ca-7_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-7_smt.b +Add control implementation description here for item ca-7_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ca-7_smt.c +Add control implementation description here for item ca-7_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ca-7_smt.d +Add control implementation description here for item ca-7_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ca-7_smt.e +Add control implementation description here for item ca-7_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ca-7_smt.f +Add control implementation description here for item ca-7_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement ca-7_smt.g +Add control implementation description here for item ca-7_smt.g ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ca/ca-9.md b/ssp_author_demo/test_system/ca/ca-9.md index 500f6e5..42a11ca 100644 --- a/ssp_author_demo/test_system/ca/ca-9.md +++ b/ssp_author_demo/test_system/ca/ca-9.md @@ -1,38 +1,53 @@ -# ca-9 - Assessment, Authorization, and Monitoring Internal System Connections +--- +sort-id: ca-09 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ca-9 - \[Assessment, Authorization, and Monitoring\] Internal System Connections + +## Control Statement + +- \[a.\] Authorize internal connections of organization-defined system components or classes of components to the system; -- \[a.\] Authorize internal connections of \[ca-9_prm_1 = organization-defined system components or classes of components\] to the system; - \[b.\] Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; -- \[c.\] Terminate internal system connections after \[ca-9_prm_2 = organization-defined conditions\]; and -- \[d.\] Review \[ca-9_prm_3 = organization-defined frequency\] the continued need for each internal connection. + +- \[c.\] Terminate internal system connections after organization-defined conditions; and + +- \[d.\] Review organization-defined frequency the continued need for each internal connection. + +## Control Control Guidance + +Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions. ______________________________________________________________________ -## ca-9 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ca-9_smt.a +Add control implementation description here for item ca-9_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ca-9_smt.b +Add control implementation description here for item ca-9_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ca-9_smt.c +Add control implementation description here for item ca-9_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ca-9_smt.d +Add control implementation description here for item ca-9_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-1.md b/ssp_author_demo/test_system/cm/cm-1.md index 0b83700..e916abb 100644 --- a/ssp_author_demo/test_system/cm/cm-1.md +++ b/ssp_author_demo/test_system/cm/cm-1.md @@ -1,43 +1,55 @@ -# cm-1 - Configuration Management Policy and Procedures +--- +sort-id: cm-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-1 - \[Configuration Management\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[cm-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[cm-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] configuration management policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level configuration management policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; -- \[b.\] Designate an \[cm-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the configuration management policy and procedures; and - \[c.\] Review and update the current configuration management: - - \[1.\] Policy \[cm-1_prm_4 = organization-defined frequency\] and following \[cm-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[cm-1_prm_6 = organization-defined frequency\] and following \[cm-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## cm-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-1_smt.a +Add control implementation description here for item cm-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-1_smt.b +Add control implementation description here for item cm-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cm-1_smt.c +Add control implementation description here for item cm-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-10.md b/ssp_author_demo/test_system/cm/cm-10.md index 6c2de0e..dac7ea9 100644 --- a/ssp_author_demo/test_system/cm/cm-10.md +++ b/ssp_author_demo/test_system/cm/cm-10.md @@ -1,31 +1,45 @@ -# cm-10 - Configuration Management Software Usage Restrictions +--- +sort-id: cm-10 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-10 - \[Configuration Management\] Software Usage Restrictions + +## Control Statement - \[a.\] Use software and associated documentation in accordance with contract agreements and copyright laws; + - \[b.\] Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and + - \[c.\] Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. +## Control Control Guidance + +Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements. + ______________________________________________________________________ -## cm-10 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-10_smt.a +Add control implementation description here for item cm-10_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-10_smt.b +Add control implementation description here for item cm-10_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cm-10_smt.c +Add control implementation description here for item cm-10_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-11.md b/ssp_author_demo/test_system/cm/cm-11.md index f450eeb..2483039 100644 --- a/ssp_author_demo/test_system/cm/cm-11.md +++ b/ssp_author_demo/test_system/cm/cm-11.md @@ -1,31 +1,45 @@ -# cm-11 - Configuration Management User-installed Software +--- +sort-id: cm-11 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-11 - \[Configuration Management\] User-installed Software -- \[a.\] Establish \[cm-11_prm_1 = organization-defined policies\] governing the installation of software by users; -- \[b.\] Enforce software installation policies through the following methods: \[cm-11_prm_2 = organization-defined methods\]; and -- \[c.\] Monitor policy compliance \[cm-11_prm_3 = organization-defined frequency\]. +## Control Statement + +- \[a.\] Establish organization-defined policies governing the installation of software by users; + +- \[b.\] Enforce software installation policies through the following methods: organization-defined methods; and + +- \[c.\] Monitor policy compliance organization-defined frequency. + +## Control Control Guidance + +If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods. ______________________________________________________________________ -## cm-11 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-11_smt.a +Add control implementation description here for item cm-11_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-11_smt.b +Add control implementation description here for item cm-11_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cm-11_smt.c +Add control implementation description here for item cm-11_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-2.md b/ssp_author_demo/test_system/cm/cm-2.md index b61dcaf..5b437de 100644 --- a/ssp_author_demo/test_system/cm/cm-2.md +++ b/ssp_author_demo/test_system/cm/cm-2.md @@ -1,29 +1,41 @@ -# cm-2 - Configuration Management Baseline Configuration +--- +sort-id: cm-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-2 - \[Configuration Management\] Baseline Configuration + +## Control Statement - \[a.\] Develop, document, and maintain under configuration control, a current baseline configuration of the system; and - \[b.\] Review and update the baseline configuration of the system: - - \[1.\] \[cm-2_prm_1 = organization-defined frequency\]; - - \[2.\] When required due to \[cm-2_prm_2 = organization-defined circumstances\]; and + - \[1.\] organization-defined frequency; + - \[2.\] When required due to organization-defined circumstances; and - \[3.\] When system components are installed or upgraded. +## Control Control Guidance + +Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. + ______________________________________________________________________ -## cm-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-2_smt.a +Add control implementation description here for item cm-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-2_smt.b +Add control implementation description here for item cm-2_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-4.md b/ssp_author_demo/test_system/cm/cm-4.md index 69242e0..96ec5cb 100644 --- a/ssp_author_demo/test_system/cm/cm-4.md +++ b/ssp_author_demo/test_system/cm/cm-4.md @@ -1,11 +1,23 @@ -# cm-4 - Configuration Management Impact Analyses +--- +sort-id: cm-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-4 - \[Configuration Management\] Impact Analyses -- Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. +## Control Statement + +Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. + +## Control Control Guidance + +Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required. ______________________________________________________________________ -## cm-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control cm-4 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-5.md b/ssp_author_demo/test_system/cm/cm-5.md index 04e2cfa..48a4848 100644 --- a/ssp_author_demo/test_system/cm/cm-5.md +++ b/ssp_author_demo/test_system/cm/cm-5.md @@ -1,11 +1,23 @@ -# cm-5 - Configuration Management Access Restrictions for Change +--- +sort-id: cm-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-5 - \[Configuration Management\] Access Restrictions for Change -- Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. +## Control Statement + +Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + +## Control Control Guidance + +Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3)), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times). ______________________________________________________________________ -## cm-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control cm-5 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-6.md b/ssp_author_demo/test_system/cm/cm-6.md index 4fc3f26..d734616 100644 --- a/ssp_author_demo/test_system/cm/cm-6.md +++ b/ssp_author_demo/test_system/cm/cm-6.md @@ -1,38 +1,57 @@ -# cm-6 - Configuration Management Configuration Settings +--- +sort-id: cm-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-6 - \[Configuration Management\] Configuration Settings + +## Control Statement + +- \[a.\] Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using organization-defined common secure configurations; -- \[a.\] Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using \[cm-6_prm_1 = organization-defined common secure configurations\]; - \[b.\] Implement the configuration settings; -- \[c.\] Identify, document, and approve any deviations from established configuration settings for \[cm-6_prm_2 = organization-defined system components\] based on \[cm-6_prm_3 = organization-defined operational requirements\]; and + +- \[c.\] Identify, document, and approve any deviations from established configuration settings for organization-defined system components based on organization-defined operational requirements; and + - \[d.\] Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. +## Control Control Guidance + +Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. + +Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. + +Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7). The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings. + ______________________________________________________________________ -## cm-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-6_smt.a +Add control implementation description here for item cm-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-6_smt.b +Add control implementation description here for item cm-6_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cm-6_smt.c +Add control implementation description here for item cm-6_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement cm-6_smt.d +Add control implementation description here for item cm-6_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-7.md b/ssp_author_demo/test_system/cm/cm-7.md index 9815d00..19eb1ad 100644 --- a/ssp_author_demo/test_system/cm/cm-7.md +++ b/ssp_author_demo/test_system/cm/cm-7.md @@ -1,24 +1,37 @@ -# cm-7 - Configuration Management Least Functionality +--- +sort-id: cm-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-7 - \[Configuration Management\] Least Functionality -- \[a.\] Configure the system to provide only \[cm-7_prm_1 = organization-defined mission essential capabilities\]; and -- \[b.\] Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: \[cm-7_prm_2 = organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services\]. +## Control Statement + +- \[a.\] Configure the system to provide only organization-defined mission essential capabilities; and + +- \[b.\] Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services. + +## Control Control Guidance + +Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2), and [SC-3](#sc-3)). ______________________________________________________________________ -## cm-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-7_smt.a +Add control implementation description here for item cm-7_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-7_smt.b +Add control implementation description here for item cm-7_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cm/cm-8.md b/ssp_author_demo/test_system/cm/cm-8.md index a3a461d..d4b286f 100644 --- a/ssp_author_demo/test_system/cm/cm-8.md +++ b/ssp_author_demo/test_system/cm/cm-8.md @@ -1,6 +1,12 @@ -# cm-8 - Configuration Management System Component Inventory +--- +sort-id: cm-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cm-8 - \[Configuration Management\] System Component Inventory + +## Control Statement - \[a.\] Develop and document an inventory of system components that: @@ -8,24 +14,32 @@ - \[2.\] Includes all components within the system; - \[3.\] Does not include duplicate accounting of components or components assigned to any other system; - \[4.\] Is at the level of granularity deemed necessary for tracking and reporting; and - - \[5.\] Includes the following information to achieve system component accountability: \[cm-8_prm_1 = organization-defined information deemed necessary to achieve effective system component accountability\]; and + - \[5.\] Includes the following information to achieve system component accountability: organization-defined information deemed necessary to achieve effective system component accountability; and + +- \[b.\] Review and update the system component inventory organization-defined frequency. + +## Control Control Guidance -- \[b.\] Review and update the system component inventory \[cm-8_prm_2 = organization-defined frequency\]. +System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. + +Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components. ______________________________________________________________________ -## cm-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cm-8_smt.a +Add control implementation description here for item cm-8_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cm-8_smt.b +Add control implementation description here for item cm-8_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cp/cp-1.md b/ssp_author_demo/test_system/cp/cp-1.md index cffb872..3e0a055 100644 --- a/ssp_author_demo/test_system/cp/cp-1.md +++ b/ssp_author_demo/test_system/cp/cp-1.md @@ -1,43 +1,55 @@ -# cp-1 - Contingency Planning Policy and Procedures +--- +sort-id: cp-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cp-1 - \[Contingency Planning\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[cp-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[cp-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] contingency planning policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level contingency planning policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; -- \[b.\] Designate an \[cp-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and - \[c.\] Review and update the current contingency planning: - - \[1.\] Policy \[cp-1_prm_4 = organization-defined frequency\] and following \[cp-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[cp-1_prm_6 = organization-defined frequency\] and following \[cp-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## cp-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cp-1_smt.a +Add control implementation description here for item cp-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cp-1_smt.b +Add control implementation description here for item cp-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cp-1_smt.c +Add control implementation description here for item cp-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cp/cp-10.md b/ssp_author_demo/test_system/cp/cp-10.md index c9e1052..c19edc9 100644 --- a/ssp_author_demo/test_system/cp/cp-10.md +++ b/ssp_author_demo/test_system/cp/cp-10.md @@ -1,11 +1,23 @@ -# cp-10 - Contingency Planning System Recovery and Reconstitution +--- +sort-id: cp-10 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cp-10 - \[Contingency Planning\] System Recovery and Reconstitution -- Provide for the recovery and reconstitution of the system to a known state within \[cp-10_prm_1 = organization-defined time period consistent with recovery time and recovery point objectives\] after a disruption, compromise, or failure. +## Control Statement + +Provide for the recovery and reconstitution of the system to a known state within organization-defined time period consistent with recovery time and recovery point objectives after a disruption, compromise, or failure. + +## Control Control Guidance + +Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. ______________________________________________________________________ -## cp-10 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control cp-10 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cp/cp-2.md b/ssp_author_demo/test_system/cp/cp-2.md index 519c2b4..a88d7b1 100644 --- a/ssp_author_demo/test_system/cp/cp-2.md +++ b/ssp_author_demo/test_system/cp/cp-2.md @@ -1,6 +1,12 @@ -# cp-2 - Contingency Planning Contingency Plan +--- +sort-id: cp-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cp-2 - \[Contingency Planning\] Contingency Plan + +## Control Statement - \[a.\] Develop a contingency plan for the system that: @@ -10,72 +16,80 @@ - \[4.\] Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; - \[5.\] Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; - \[6.\] Addresses the sharing of contingency information; and - - \[7.\] Is reviewed and approved by \[cp-2_prm_1 = organization-defined personnel or roles\]; + - \[7.\] Is reviewed and approved by organization-defined personnel or roles; -- \[b.\] Distribute copies of the contingency plan to \[cp-2_prm_2 = organization-defined key contingency personnel (identified by name and/or by role) and organizational elements\]; +- \[b.\] Distribute copies of the contingency plan to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements; - \[c.\] Coordinate contingency planning activities with incident handling activities; -- \[d.\] Review the contingency plan for the system \[cp-2_prm_3 = organization-defined frequency\]; +- \[d.\] Review the contingency plan for the system organization-defined frequency; - \[e.\] Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; -- \[f.\] Communicate contingency plan changes to \[cp-2_prm_4 = organization-defined key contingency personnel (identified by name and/or by role) and organizational elements\]; +- \[f.\] Communicate contingency plan changes to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements; - \[g.\] Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and - \[h.\] Protect the contingency plan from unauthorized disclosure and modification. +## Control Control Guidance + +Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level. + +Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5). Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family. + ______________________________________________________________________ -## cp-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cp-2_smt.a +Add control implementation description here for item cp-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cp-2_smt.b +Add control implementation description here for item cp-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cp-2_smt.c +Add control implementation description here for item cp-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement cp-2_smt.d +Add control implementation description here for item cp-2_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement cp-2_smt.e +Add control implementation description here for item cp-2_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement cp-2_smt.f +Add control implementation description here for item cp-2_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement cp-2_smt.g +Add control implementation description here for item cp-2_smt.g ______________________________________________________________________ -### Part h. +## Implementation h. -Add control implementation description here for statement cp-2_smt.h +Add control implementation description here for item cp-2_smt.h ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cp/cp-3.md b/ssp_author_demo/test_system/cp/cp-3.md index 6958a08..50b0018 100644 --- a/ssp_author_demo/test_system/cp/cp-3.md +++ b/ssp_author_demo/test_system/cp/cp-3.md @@ -1,29 +1,41 @@ -# cp-3 - Contingency Planning Contingency Training +--- +sort-id: cp-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cp-3 - \[Contingency Planning\] Contingency Training + +## Control Statement - \[a.\] Provide contingency training to system users consistent with assigned roles and responsibilities: - - \[1.\] Within \[cp-3_prm_1 = organization-defined time period\] of assuming a contingency role or responsibility; + - \[1.\] Within organization-defined time period of assuming a contingency role or responsibility; - \[2.\] When required by system changes; and - - \[3.\] \[cp-3_prm_2 = organization-defined frequency\] thereafter; and + - \[3.\] organization-defined frequency thereafter; and + +- \[b.\] Review and update contingency training content organization-defined frequency and following organization-defined events. -- \[b.\] Review and update contingency training content \[cp-3_prm_3 = organization-defined frequency\] and following \[cp-3_prm_4 = organization-defined events\]. +## Control Control Guidance + +Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements. ______________________________________________________________________ -## cp-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cp-3_smt.a +Add control implementation description here for item cp-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cp-3_smt.b +Add control implementation description here for item cp-3_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cp/cp-4.md b/ssp_author_demo/test_system/cp/cp-4.md index e9d468c..a7e8e99 100644 --- a/ssp_author_demo/test_system/cp/cp-4.md +++ b/ssp_author_demo/test_system/cp/cp-4.md @@ -1,31 +1,45 @@ -# cp-4 - Contingency Planning Contingency Plan Testing +--- +sort-id: cp-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cp-4 - \[Contingency Planning\] Contingency Plan Testing + +## Control Statement + +- \[a.\] Test the contingency plan for the system organization-defined frequency using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: organization-defined tests. -- \[a.\] Test the contingency plan for the system \[cp-4_prm_1 = organization-defined frequency\] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: \[cp-4_prm_2 = organization-defined tests\]. - \[b.\] Review the contingency plan test results; and + - \[c.\] Initiate corrective actions, if needed. +## Control Control Guidance + +Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. + ______________________________________________________________________ -## cp-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cp-4_smt.a +Add control implementation description here for item cp-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cp-4_smt.b +Add control implementation description here for item cp-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cp-4_smt.c +Add control implementation description here for item cp-4_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/cp/cp-9.md b/ssp_author_demo/test_system/cp/cp-9.md index 0bee06a..02c7ecd 100644 --- a/ssp_author_demo/test_system/cp/cp-9.md +++ b/ssp_author_demo/test_system/cp/cp-9.md @@ -1,38 +1,53 @@ -# cp-9 - Contingency Planning System Backup +--- +sort-id: cp-09 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# cp-9 - \[Contingency Planning\] System Backup + +## Control Statement + +- \[a.\] Conduct backups of user-level information contained in organization-defined system components organization-defined frequency consistent with recovery time and recovery point objectives; + +- \[b.\] Conduct backups of system-level information contained in the system organization-defined frequency consistent with recovery time and recovery point objectives; + +- \[c.\] Conduct backups of system documentation, including security- and privacy-related documentation organization-defined frequency consistent with recovery time and recovery point objectives; and -- \[a.\] Conduct backups of user-level information contained in \[cp-9_prm_1 = organization-defined system components\] \[cp-9_prm_2 = organization-defined frequency consistent with recovery time and recovery point objectives\]; -- \[b.\] Conduct backups of system-level information contained in the system \[cp-9_prm_3 = organization-defined frequency consistent with recovery time and recovery point objectives\]; -- \[c.\] Conduct backups of system documentation, including security- and privacy-related documentation \[cp-9_prm_4 = organization-defined frequency consistent with recovery time and recovery point objectives\]; and - \[d.\] Protect the confidentiality, integrity, and availability of backup information. +## Control Control Guidance + +System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8). System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. + ______________________________________________________________________ -## cp-9 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement cp-9_smt.a +Add control implementation description here for item cp-9_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement cp-9_smt.b +Add control implementation description here for item cp-9_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement cp-9_smt.c +Add control implementation description here for item cp-9_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement cp-9_smt.d +Add control implementation description here for item cp-9_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-1.md b/ssp_author_demo/test_system/ia/ia-1.md index 4e1c06a..d806aa5 100644 --- a/ssp_author_demo/test_system/ia/ia-1.md +++ b/ssp_author_demo/test_system/ia/ia-1.md @@ -1,43 +1,55 @@ -# ia-1 - Identification and Authentication Policy and Procedures +--- +sort-id: ia-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-1 - \[Identification and Authentication\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[ia-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[ia-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] identification and authentication policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level identification and authentication policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; -- \[b.\] Designate an \[ia-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and - \[c.\] Review and update the current identification and authentication: - - \[1.\] Policy \[ia-1_prm_4 = organization-defined frequency\] and following \[ia-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[ia-1_prm_6 = organization-defined frequency\] and following \[ia-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## ia-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ia-1_smt.a +Add control implementation description here for item ia-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ia-1_smt.b +Add control implementation description here for item ia-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ia-1_smt.c +Add control implementation description here for item ia-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-11.md b/ssp_author_demo/test_system/ia/ia-11.md index 8dd633f..daf9f12 100644 --- a/ssp_author_demo/test_system/ia/ia-11.md +++ b/ssp_author_demo/test_system/ia/ia-11.md @@ -1,11 +1,23 @@ -# ia-11 - Identification and Authentication Re-authentication +--- +sort-id: ia-11 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-11 - \[Identification and Authentication\] Re-authentication -- Require users to re-authenticate when \[ia-11_prm_1 = organization-defined circumstances or situations requiring re-authentication\]. +## Control Statement + +Require users to re-authenticate when organization-defined circumstances or situations requiring re-authentication. + +## Control Control Guidance + +In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically. ______________________________________________________________________ -## ia-11 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-11 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-2.1.md b/ssp_author_demo/test_system/ia/ia-2.1.md index 3878a29..c613cb6 100644 --- a/ssp_author_demo/test_system/ia/ia-2.1.md +++ b/ssp_author_demo/test_system/ia/ia-2.1.md @@ -1,11 +1,23 @@ -# ia-2.1 - Identification and Authentication Multi-factor Authentication to Privileged Accounts +--- +sort-id: ia-02.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-2.1 - \[Identification and Authentication\] Multi-factor Authentication to Privileged Accounts -- Implement multi-factor authentication for access to privileged accounts. +## Control Statement + +Implement multi-factor authentication for access to privileged accounts. + +## Control Control Guidance + +Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number \[PIN\]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. ______________________________________________________________________ -## ia-2.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-2.1 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-2.12.md b/ssp_author_demo/test_system/ia/ia-2.12.md index a3dc5bf..32e07ef 100644 --- a/ssp_author_demo/test_system/ia/ia-2.12.md +++ b/ssp_author_demo/test_system/ia/ia-2.12.md @@ -1,11 +1,23 @@ -# ia-2.12 - Identification and Authentication Acceptance of PIV Credentials +--- +sort-id: ia-02.12 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-2.12 - \[Identification and Authentication\] Acceptance of PIV Credentials -- Accept and electronically verify Personal Identity Verification-compliant credentials. +## Control Statement + +Accept and electronically verify Personal Identity Verification-compliant credentials. + +## Control Control Guidance + +Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c). The DOD Common Access Card (CAC) is an example of a PIV credential. ______________________________________________________________________ -## ia-2.12 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-2.12 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-2.2.md b/ssp_author_demo/test_system/ia/ia-2.2.md index 7b80237..5073b82 100644 --- a/ssp_author_demo/test_system/ia/ia-2.2.md +++ b/ssp_author_demo/test_system/ia/ia-2.2.md @@ -1,11 +1,23 @@ -# ia-2.2 - Identification and Authentication Multi-factor Authentication to Non-privileged Accounts +--- +sort-id: ia-02.02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-2.2 - \[Identification and Authentication\] Multi-factor Authentication to Non-privileged Accounts -- Implement multi-factor authentication for access to non-privileged accounts. +## Control Statement + +Implement multi-factor authentication for access to non-privileged accounts. + +## Control Control Guidance + +Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number \[PIN\]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. ______________________________________________________________________ -## ia-2.2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-2.2 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-2.8.md b/ssp_author_demo/test_system/ia/ia-2.8.md index 28edf0c..2e6de55 100644 --- a/ssp_author_demo/test_system/ia/ia-2.8.md +++ b/ssp_author_demo/test_system/ia/ia-2.8.md @@ -1,11 +1,23 @@ -# ia-2.8 - Identification and Authentication Access to Accounts — Replay Resistant +--- +sort-id: ia-02.08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-2.8 - \[Identification and Authentication\] Access to Accounts — Replay Resistant -- Implement replay-resistant authentication mechanisms for access to \[ia-2.8_prm_1 = one-or-more \['privileged accounts', 'non-privileged accounts'\]\]. +## Control Statement + +Implement replay-resistant authentication mechanisms for access to privileged accounts; non-privileged accounts. + +## Control Control Guidance + +Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators. ______________________________________________________________________ -## ia-2.8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-2.8 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-2.md b/ssp_author_demo/test_system/ia/ia-2.md index 78011a9..07f2aeb 100644 --- a/ssp_author_demo/test_system/ia/ia-2.md +++ b/ssp_author_demo/test_system/ia/ia-2.md @@ -1,11 +1,27 @@ -# ia-2 - Identification and Authentication Identification and Authentication (organizational Users) +--- +sort-id: ia-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-2 - \[Identification and Authentication\] Identification and Authentication (organizational Users) -- Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. +## Control Statement + +Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. + +## Control Control Guidance + +Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0). Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. + +Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. + +The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8). ______________________________________________________________________ -## ia-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-2 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-4.md b/ssp_author_demo/test_system/ia/ia-4.md index 4e652fc..9b8a3e7 100644 --- a/ssp_author_demo/test_system/ia/ia-4.md +++ b/ssp_author_demo/test_system/ia/ia-4.md @@ -1,40 +1,55 @@ -# ia-4 - Identification and Authentication Identifier Management +--- +sort-id: ia-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-4 - \[Identification and Authentication\] Identifier Management -- Manage system identifiers by: +## Control Statement - - \[a.\] Receiving authorization from \[ia-4_prm_1 = organization-defined personnel or roles\] to assign an individual, group, role, service, or device identifier; - - \[b.\] Selecting an identifier that identifies an individual, group, role, service, or device; - - \[c.\] Assigning the identifier to the intended individual, group, role, service, or device; and - - \[d.\] Preventing reuse of identifiers for \[ia-4_prm_2 = organization-defined time period\]. +Manage system identifiers by: + +- \[a.\] Receiving authorization from organization-defined personnel or roles to assign an individual, group, role, service, or device identifier; + +- \[b.\] Selecting an identifier that identifies an individual, group, role, service, or device; + +- \[c.\] Assigning the identifier to the intended individual, group, role, service, or device; and + +- \[d.\] Preventing reuse of identifiers for organization-defined time period. + +## Control Control Guidance + +Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4). Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. ______________________________________________________________________ -## ia-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ia-4_smt.a +Add control implementation description here for item ia-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ia-4_smt.b +Add control implementation description here for item ia-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ia-4_smt.c +Add control implementation description here for item ia-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ia-4_smt.d +Add control implementation description here for item ia-4_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-5.1.md b/ssp_author_demo/test_system/ia/ia-5.1.md index 56a8dcb..d59d949 100644 --- a/ssp_author_demo/test_system/ia/ia-5.1.md +++ b/ssp_author_demo/test_system/ia/ia-5.1.md @@ -1,68 +1,87 @@ -# ia-5.1 - Identification and Authentication Password-based Authentication +--- +sort-id: ia-05.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-5.1 - \[Identification and Authentication\] Password-based Authentication -- For password-based authentication: +## Control Statement - - \[(a)\] Maintain a list of commonly-used, expected, or compromised passwords and update the list \[ia-5.1_prm_1 = organization-defined frequency\] and when organizational passwords are suspected to have been compromised directly or indirectly; - - \[(b)\] Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); - - \[(c)\] Transmit passwords only over cryptographically-protected channels; - - \[(d)\] Store passwords using an approved salted key derivation function, preferably using a keyed hash; - - \[(e)\] Require immediate selection of a new password upon account recovery; - - \[(f)\] Allow user selection of long passwords and passphrases, including spaces and all printable characters; - - \[(g)\] Employ automated tools to assist the user in selecting strong password authenticators; and - - \[(h)\] Enforce the following composition and complexity rules: \[ia-5.1_prm_2 = organization-defined composition and complexity rules\]. +For password-based authentication: + +- \[(a)\] Maintain a list of commonly-used, expected, or compromised passwords and update the list organization-defined frequency and when organizational passwords are suspected to have been compromised directly or indirectly; + +- \[(b)\] Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); + +- \[(c)\] Transmit passwords only over cryptographically-protected channels; + +- \[(d)\] Store passwords using an approved salted key derivation function, preferably using a keyed hash; + +- \[(e)\] Require immediate selection of a new password upon account recovery; + +- \[(f)\] Allow user selection of long passwords and passphrases, including spaces and all printable characters; + +- \[(g)\] Employ automated tools to assist the user in selecting strong password authenticators; and + +- \[(h)\] Enforce the following composition and complexity rules: organization-defined composition and complexity rules. + +## Control Control Guidance + +Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. ______________________________________________________________________ -## ia-5.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part (a) +## Implementation (a) -Add control implementation description here for statement ia-5.1_smt.a +Add control implementation description here for item ia-5.1_smt.a ______________________________________________________________________ -### Part (b) +## Implementation (b) -Add control implementation description here for statement ia-5.1_smt.b +Add control implementation description here for item ia-5.1_smt.b ______________________________________________________________________ -### Part (c) +## Implementation (c) -Add control implementation description here for statement ia-5.1_smt.c +Add control implementation description here for item ia-5.1_smt.c ______________________________________________________________________ -### Part (d) +## Implementation (d) -Add control implementation description here for statement ia-5.1_smt.d +Add control implementation description here for item ia-5.1_smt.d ______________________________________________________________________ -### Part (e) +## Implementation (e) -Add control implementation description here for statement ia-5.1_smt.e +Add control implementation description here for item ia-5.1_smt.e ______________________________________________________________________ -### Part (f) +## Implementation (f) -Add control implementation description here for statement ia-5.1_smt.f +Add control implementation description here for item ia-5.1_smt.f ______________________________________________________________________ -### Part (g) +## Implementation (g) -Add control implementation description here for statement ia-5.1_smt.g +Add control implementation description here for item ia-5.1_smt.g ______________________________________________________________________ -### Part (h) +## Implementation (h) -Add control implementation description here for statement ia-5.1_smt.h +Add control implementation description here for item ia-5.1_smt.h ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-5.md b/ssp_author_demo/test_system/ia/ia-5.md index 764b4e4..61e634c 100644 --- a/ssp_author_demo/test_system/ia/ia-5.md +++ b/ssp_author_demo/test_system/ia/ia-5.md @@ -1,75 +1,97 @@ -# ia-5 - Identification and Authentication Authenticator Management +--- +sort-id: ia-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-5 - \[Identification and Authentication\] Authenticator Management -- Manage system authenticators by: +## Control Statement - - \[a.\] Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; - - \[b.\] Establishing initial authenticator content for any authenticators issued by the organization; - - \[c.\] Ensuring that authenticators have sufficient strength of mechanism for their intended use; - - \[d.\] Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; - - \[e.\] Changing default authenticators prior to first use; - - \[f.\] Changing or refreshing authenticators \[ia-5_prm_1 = organization-defined time period by authenticator type\] or when \[ia-5_prm_2 = organization-defined events\] occur; - - \[g.\] Protecting authenticator content from unauthorized disclosure and modification; - - \[h.\] Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and - - \[i.\] Changing authenticators for group or role accounts when membership to those accounts changes. +Manage system authenticators by: + +- \[a.\] Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; + +- \[b.\] Establishing initial authenticator content for any authenticators issued by the organization; + +- \[c.\] Ensuring that authenticators have sufficient strength of mechanism for their intended use; + +- \[d.\] Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; + +- \[e.\] Changing default authenticators prior to first use; + +- \[f.\] Changing or refreshing authenticators organization-defined time period by authenticator type or when organization-defined events occur; + +- \[g.\] Protecting authenticator content from unauthorized disclosure and modification; + +- \[h.\] Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and + +- \[i.\] Changing authenticators for group or role accounts when membership to those accounts changes. + +## Control Control Guidance + +Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6), and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. + +Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. ______________________________________________________________________ -## ia-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ia-5_smt.a +Add control implementation description here for item ia-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ia-5_smt.b +Add control implementation description here for item ia-5_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ia-5_smt.c +Add control implementation description here for item ia-5_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ia-5_smt.d +Add control implementation description here for item ia-5_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ia-5_smt.e +Add control implementation description here for item ia-5_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ia-5_smt.f +Add control implementation description here for item ia-5_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement ia-5_smt.g +Add control implementation description here for item ia-5_smt.g ______________________________________________________________________ -### Part h. +## Implementation h. -Add control implementation description here for statement ia-5_smt.h +Add control implementation description here for item ia-5_smt.h ______________________________________________________________________ -### Part i. +## Implementation i. -Add control implementation description here for statement ia-5_smt.i +Add control implementation description here for item ia-5_smt.i ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-6.md b/ssp_author_demo/test_system/ia/ia-6.md index e2a0de5..2e45306 100644 --- a/ssp_author_demo/test_system/ia/ia-6.md +++ b/ssp_author_demo/test_system/ia/ia-6.md @@ -1,11 +1,23 @@ -# ia-6 - Identification and Authentication Authentication Feedback +--- +sort-id: ia-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-6 - \[Identification and Authentication\] Authentication Feedback -- Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. +## Control Statement + +Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. + +## Control Control Guidance + +Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it. ______________________________________________________________________ -## ia-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-6 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-7.md b/ssp_author_demo/test_system/ia/ia-7.md index 6324123..ea73bf6 100644 --- a/ssp_author_demo/test_system/ia/ia-7.md +++ b/ssp_author_demo/test_system/ia/ia-7.md @@ -1,11 +1,23 @@ -# ia-7 - Identification and Authentication Cryptographic Module Authentication +--- +sort-id: ia-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-7 - \[Identification and Authentication\] Cryptographic Module Authentication -- Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. +## Control Statement + +Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. + +## Control Control Guidance + +Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. ______________________________________________________________________ -## ia-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-7 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-8.1.md b/ssp_author_demo/test_system/ia/ia-8.1.md index ccbf5f6..b6a4fb0 100644 --- a/ssp_author_demo/test_system/ia/ia-8.1.md +++ b/ssp_author_demo/test_system/ia/ia-8.1.md @@ -1,11 +1,23 @@ -# ia-8.1 - Identification and Authentication Acceptance of PIV Credentials from Other Agencies +--- +sort-id: ia-08.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-8.1 - \[Identification and Authentication\] Acceptance of PIV Credentials from Other Agencies -- Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. +## Control Statement + +Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. + +## Control Control Guidance + +Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). ______________________________________________________________________ -## ia-8.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-8.1 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-8.2.md b/ssp_author_demo/test_system/ia/ia-8.2.md index 6a6b6d1..a61d6cf 100644 --- a/ssp_author_demo/test_system/ia/ia-8.2.md +++ b/ssp_author_demo/test_system/ia/ia-8.2.md @@ -1,24 +1,37 @@ -# ia-8.2 - Identification and Authentication Acceptance of External Authenticators +--- +sort-id: ia-08.02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-8.2 - \[Identification and Authentication\] Acceptance of External Authenticators + +## Control Statement - \[(a)\] Accept only external authenticators that are NIST-compliant; and + - \[(b)\] Document and maintain a list of accepted external authenticators. +## Control Control Guidance + +Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce). Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level. + ______________________________________________________________________ -## ia-8.2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part (a) +## Implementation (a) -Add control implementation description here for statement ia-8.2_smt.a +Add control implementation description here for item ia-8.2_smt.a ______________________________________________________________________ -### Part (b) +## Implementation (b) -Add control implementation description here for statement ia-8.2_smt.b +Add control implementation description here for item ia-8.2_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-8.4.md b/ssp_author_demo/test_system/ia/ia-8.4.md index c3d7a53..d3274a4 100644 --- a/ssp_author_demo/test_system/ia/ia-8.4.md +++ b/ssp_author_demo/test_system/ia/ia-8.4.md @@ -1,11 +1,23 @@ -# ia-8.4 - Identification and Authentication Use of Defined Profiles +--- +sort-id: ia-08.04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-8.4 - \[Identification and Authentication\] Use of Defined Profiles -- Conform to the following profiles for identity management \[ia-8.4_prm_1 = organization-defined identity management profiles\]. +## Control Statement + +Conform to the following profiles for identity management organization-defined identity management profiles. + +## Control Control Guidance + +Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. ______________________________________________________________________ -## ia-8.4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-8.4 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ia/ia-8.md b/ssp_author_demo/test_system/ia/ia-8.md index 97b634b..ced7818 100644 --- a/ssp_author_demo/test_system/ia/ia-8.md +++ b/ssp_author_demo/test_system/ia/ia-8.md @@ -1,11 +1,23 @@ -# ia-8 - Identification and Authentication Identification and Authentication (non-organizational Users) +--- +sort-id: ia-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ia-8 - \[Identification and Authentication\] Identification and Authentication (non-organizational Users) -- Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. +## Control Statement + +Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. + +## Control Control Guidance + +Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2). Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14). Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. ______________________________________________________________________ -## ia-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ia-8 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-1.md b/ssp_author_demo/test_system/ir/ir-1.md index 6332613..8c86360 100644 --- a/ssp_author_demo/test_system/ir/ir-1.md +++ b/ssp_author_demo/test_system/ir/ir-1.md @@ -1,43 +1,55 @@ -# ir-1 - Incident Response Policy and Procedures +--- +sort-id: ir-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-1 - \[Incident Response\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[ir-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[ir-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] incident response policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level incident response policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; -- \[b.\] Designate an \[ir-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the incident response policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the incident response policy and procedures; and - \[c.\] Review and update the current incident response: - - \[1.\] Policy \[ir-1_prm_4 = organization-defined frequency\] and following \[ir-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[ir-1_prm_6 = organization-defined frequency\] and following \[ir-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## ir-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ir-1_smt.a +Add control implementation description here for item ir-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ir-1_smt.b +Add control implementation description here for item ir-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ir-1_smt.c +Add control implementation description here for item ir-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-2.md b/ssp_author_demo/test_system/ir/ir-2.md index e13950d..67272d5 100644 --- a/ssp_author_demo/test_system/ir/ir-2.md +++ b/ssp_author_demo/test_system/ir/ir-2.md @@ -1,29 +1,41 @@ -# ir-2 - Incident Response Incident Response Training +--- +sort-id: ir-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-2 - \[Incident Response\] Incident Response Training + +## Control Statement - \[a.\] Provide incident response training to system users consistent with assigned roles and responsibilities: - - \[1.\] Within \[ir-2_prm_1 = organization-defined time period\] of assuming an incident response role or responsibility or acquiring system access; + - \[1.\] Within organization-defined time period of assuming an incident response role or responsibility or acquiring system access; - \[2.\] When required by system changes; and - - \[3.\] \[ir-2_prm_2 = organization-defined frequency\] thereafter; and + - \[3.\] organization-defined frequency thereafter; and + +- \[b.\] Review and update incident response training content organization-defined frequency and following organization-defined events. -- \[b.\] Review and update incident response training content \[ir-2_prm_3 = organization-defined frequency\] and following \[ir-2_prm_4 = organization-defined events\]. +## Control Control Guidance + +Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3). Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. ______________________________________________________________________ -## ir-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ir-2_smt.a +Add control implementation description here for item ir-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ir-2_smt.b +Add control implementation description here for item ir-2_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-4.md b/ssp_author_demo/test_system/ir/ir-4.md index 367f703..e7acef6 100644 --- a/ssp_author_demo/test_system/ir/ir-4.md +++ b/ssp_author_demo/test_system/ir/ir-4.md @@ -1,38 +1,53 @@ -# ir-4 - Incident Response Incident Handling +--- +sort-id: ir-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-4 - \[Incident Response\] Incident Handling + +## Control Statement - \[a.\] Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; + - \[b.\] Coordinate incident handling activities with contingency planning activities; + - \[c.\] Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and + - \[d.\] Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. +## Control Control Guidance + +Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive \[function\], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. + ______________________________________________________________________ -## ir-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ir-4_smt.a +Add control implementation description here for item ir-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ir-4_smt.b +Add control implementation description here for item ir-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ir-4_smt.c +Add control implementation description here for item ir-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ir-4_smt.d +Add control implementation description here for item ir-4_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-5.md b/ssp_author_demo/test_system/ir/ir-5.md index fc27bf3..93a0684 100644 --- a/ssp_author_demo/test_system/ir/ir-5.md +++ b/ssp_author_demo/test_system/ir/ir-5.md @@ -1,11 +1,23 @@ -# ir-5 - Incident Response Incident Monitoring +--- +sort-id: ir-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-5 - \[Incident Response\] Incident Monitoring -- Track and document incidents. +## Control Statement + +Track and document incidents. + +## Control Control Guidance + +Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring. ______________________________________________________________________ -## ir-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ir-5 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-6.md b/ssp_author_demo/test_system/ir/ir-6.md index 0bb0b0a..df9f2b9 100644 --- a/ssp_author_demo/test_system/ir/ir-6.md +++ b/ssp_author_demo/test_system/ir/ir-6.md @@ -1,24 +1,37 @@ -# ir-6 - Incident Response Incident Reporting +--- +sort-id: ir-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-6 - \[Incident Response\] Incident Reporting -- \[a.\] Require personnel to report suspected incidents to the organizational incident response capability within \[ir-6_prm_1 = organization-defined time period\]; and -- \[b.\] Report incident information to \[ir-6_prm_2 = organization-defined authorities\]. +## Control Statement + +- \[a.\] Require personnel to report suspected incidents to the organizational incident response capability within organization-defined time period; and + +- \[b.\] Report incident information to organization-defined authorities. + +## Control Control Guidance + +The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products. ______________________________________________________________________ -## ir-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ir-6_smt.a +Add control implementation description here for item ir-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ir-6_smt.b +Add control implementation description here for item ir-6_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-7.md b/ssp_author_demo/test_system/ir/ir-7.md index 5fa63c2..d732979 100644 --- a/ssp_author_demo/test_system/ir/ir-7.md +++ b/ssp_author_demo/test_system/ir/ir-7.md @@ -1,11 +1,23 @@ -# ir-7 - Incident Response Incident Response Assistance +--- +sort-id: ir-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-7 - \[Incident Response\] Incident Response Assistance -- Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. +## Control Statement + +Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. + +## Control Control Guidance + +Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required. ______________________________________________________________________ -## ir-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ir-7 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ir/ir-8.md b/ssp_author_demo/test_system/ir/ir-8.md index 77c7a2c..07d27e8 100644 --- a/ssp_author_demo/test_system/ir/ir-8.md +++ b/ssp_author_demo/test_system/ir/ir-8.md @@ -1,6 +1,12 @@ -# ir-8 - Incident Response Incident Response Plan +--- +sort-id: ir-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ir-8 - \[Incident Response\] Incident Response Plan + +## Control Statement - \[a.\] Develop an incident response plan that: @@ -12,49 +18,55 @@ - \[6.\] Provides metrics for measuring the incident response capability within the organization; - \[7.\] Defines the resources and management support needed to effectively maintain and mature an incident response capability; - \[8.\] Addresses the sharing of incident information; - - \[9.\] Is reviewed and approved by \[ir-8_prm_1 = organization-defined personnel or roles\] \[ir-8_prm_2 = organization-defined frequency\]; and - - \[10.\] Explicitly designates responsibility for incident response to \[ir-8_prm_3 = organization-defined entities, personnel, or roles\]. + - \[9.\] Is reviewed and approved by organization-defined personnel or roles organization-defined frequency; and + - \[10.\] Explicitly designates responsibility for incident response to organization-defined entities, personnel, or roles. -- \[b.\] Distribute copies of the incident response plan to \[ir-8_prm_4 = organization-defined incident response personnel (identified by name and/or by role) and organizational elements\]; +- \[b.\] Distribute copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; - \[c.\] Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; -- \[d.\] Communicate incident response plan changes to \[ir-8_prm_5 = organization-defined incident response personnel (identified by name and/or by role) and organizational elements\]; and +- \[d.\] Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and - \[e.\] Protect the incident response plan from unauthorized disclosure and modification. +## Control Control Guidance + +It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly. + ______________________________________________________________________ -## ir-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ir-8_smt.a +Add control implementation description here for item ir-8_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ir-8_smt.b +Add control implementation description here for item ir-8_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ir-8_smt.c +Add control implementation description here for item ir-8_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ir-8_smt.d +Add control implementation description here for item ir-8_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ir-8_smt.e +Add control implementation description here for item ir-8_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ma/ma-1.md b/ssp_author_demo/test_system/ma/ma-1.md index 66410fb..11c1139 100644 --- a/ssp_author_demo/test_system/ma/ma-1.md +++ b/ssp_author_demo/test_system/ma/ma-1.md @@ -1,43 +1,55 @@ -# ma-1 - Maintenance Policy and Procedures +--- +sort-id: ma-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ma-1 - \[Maintenance\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[ma-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[ma-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] maintenance policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level maintenance policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; -- \[b.\] Designate an \[ma-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the maintenance policy and procedures; and - \[c.\] Review and update the current maintenance: - - \[1.\] Policy \[ma-1_prm_4 = organization-defined frequency\] and following \[ma-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[ma-1_prm_6 = organization-defined frequency\] and following \[ma-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## ma-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ma-1_smt.a +Add control implementation description here for item ma-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ma-1_smt.b +Add control implementation description here for item ma-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ma-1_smt.c +Add control implementation description here for item ma-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ma/ma-2.md b/ssp_author_demo/test_system/ma/ma-2.md index 2514c1d..49fc658 100644 --- a/ssp_author_demo/test_system/ma/ma-2.md +++ b/ssp_author_demo/test_system/ma/ma-2.md @@ -1,52 +1,69 @@ -# ma-2 - Maintenance Controlled Maintenance +--- +sort-id: ma-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ma-2 - \[Maintenance\] Controlled Maintenance + +## Control Statement - \[a.\] Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; + - \[b.\] Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; -- \[c.\] Require that \[ma-2_prm_1 = organization-defined personnel or roles\] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; -- \[d.\] Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: \[ma-2_prm_2 = organization-defined information\]; + +- \[c.\] Require that organization-defined personnel or roles explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; + +- \[d.\] Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: organization-defined information; + - \[e.\] Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and -- \[f.\] Include the following information in organizational maintenance records: \[ma-2_prm_3 = organization-defined information\]. + +- \[f.\] Include the following information in organizational maintenance records: organization-defined information. + +## Control Control Guidance + +Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems. ______________________________________________________________________ -## ma-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ma-2_smt.a +Add control implementation description here for item ma-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ma-2_smt.b +Add control implementation description here for item ma-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ma-2_smt.c +Add control implementation description here for item ma-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ma-2_smt.d +Add control implementation description here for item ma-2_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ma-2_smt.e +Add control implementation description here for item ma-2_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ma-2_smt.f +Add control implementation description here for item ma-2_smt.f ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ma/ma-4.md b/ssp_author_demo/test_system/ma/ma-4.md index 508560b..7e69d5a 100644 --- a/ssp_author_demo/test_system/ma/ma-4.md +++ b/ssp_author_demo/test_system/ma/ma-4.md @@ -1,45 +1,61 @@ -# ma-4 - Maintenance Nonlocal Maintenance +--- +sort-id: ma-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ma-4 - \[Maintenance\] Nonlocal Maintenance + +## Control Statement - \[a.\] Approve and monitor nonlocal maintenance and diagnostic activities; + - \[b.\] Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; + - \[c.\] Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; + - \[d.\] Maintain records for nonlocal maintenance and diagnostic activities; and + - \[e.\] Terminate session and network connections when nonlocal maintenance is completed. +## Control Control Guidance + +Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2). Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators. + ______________________________________________________________________ -## ma-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ma-4_smt.a +Add control implementation description here for item ma-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ma-4_smt.b +Add control implementation description here for item ma-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ma-4_smt.c +Add control implementation description here for item ma-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ma-4_smt.d +Add control implementation description here for item ma-4_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ma-4_smt.e +Add control implementation description here for item ma-4_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ma/ma-5.md b/ssp_author_demo/test_system/ma/ma-5.md index 5f96a26..bfc3313 100644 --- a/ssp_author_demo/test_system/ma/ma-5.md +++ b/ssp_author_demo/test_system/ma/ma-5.md @@ -1,31 +1,45 @@ -# ma-5 - Maintenance Maintenance Personnel +--- +sort-id: ma-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ma-5 - \[Maintenance\] Maintenance Personnel + +## Control Statement - \[a.\] Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; + - \[b.\] Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and + - \[c.\] Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. +## Control Control Guidance + +Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. + ______________________________________________________________________ -## ma-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ma-5_smt.a +Add control implementation description here for item ma-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ma-5_smt.b +Add control implementation description here for item ma-5_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ma-5_smt.c +Add control implementation description here for item ma-5_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/mp/mp-1.md b/ssp_author_demo/test_system/mp/mp-1.md index deffa50..5d35b12 100644 --- a/ssp_author_demo/test_system/mp/mp-1.md +++ b/ssp_author_demo/test_system/mp/mp-1.md @@ -1,43 +1,55 @@ -# mp-1 - Media Protection Policy and Procedures +--- +sort-id: mp-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# mp-1 - \[Media Protection\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[mp-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[mp-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] media protection policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level media protection policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; -- \[b.\] Designate an \[mp-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the media protection policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the media protection policy and procedures; and - \[c.\] Review and update the current media protection: - - \[1.\] Policy \[mp-1_prm_4 = organization-defined frequency\] and following \[mp-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[mp-1_prm_6 = organization-defined frequency\] and following \[mp-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## mp-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement mp-1_smt.a +Add control implementation description here for item mp-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement mp-1_smt.b +Add control implementation description here for item mp-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement mp-1_smt.c +Add control implementation description here for item mp-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/mp/mp-2.md b/ssp_author_demo/test_system/mp/mp-2.md index 0e4c73d..587f1ea 100644 --- a/ssp_author_demo/test_system/mp/mp-2.md +++ b/ssp_author_demo/test_system/mp/mp-2.md @@ -1,11 +1,23 @@ -# mp-2 - Media Protection Media Access +--- +sort-id: mp-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# mp-2 - \[Media Protection\] Media Access -- Restrict access to \[mp-2_prm_1 = organization-defined types of digital and/or non-digital media\] to \[mp-2_prm_2 = organization-defined personnel or roles\]. +## Control Statement + +Restrict access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles. + +## Control Control Guidance + +System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media. ______________________________________________________________________ -## mp-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control mp-2 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/mp/mp-6.md b/ssp_author_demo/test_system/mp/mp-6.md index 77df5a4..0bfce8b 100644 --- a/ssp_author_demo/test_system/mp/mp-6.md +++ b/ssp_author_demo/test_system/mp/mp-6.md @@ -1,24 +1,37 @@ -# mp-6 - Media Protection Media Sanitization +--- +sort-id: mp-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# mp-6 - \[Media Protection\] Media Sanitization + +## Control Statement + +- \[a.\] Sanitize organization-defined system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures; and -- \[a.\] Sanitize \[mp-6_prm_1 = organization-defined system media\] prior to disposal, release out of organizational control, or release for reuse using \[mp-6_prm_2 = organization-defined sanitization techniques and procedures\]; and - \[b.\] Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. +## Control Control Guidance + +Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information. + ______________________________________________________________________ -## mp-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement mp-6_smt.a +Add control implementation description here for item mp-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement mp-6_smt.b +Add control implementation description here for item mp-6_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/mp/mp-7.md b/ssp_author_demo/test_system/mp/mp-7.md index bd54800..4a633ea 100644 --- a/ssp_author_demo/test_system/mp/mp-7.md +++ b/ssp_author_demo/test_system/mp/mp-7.md @@ -1,24 +1,37 @@ -# mp-7 - Media Protection Media Use +--- +sort-id: mp-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# mp-7 - \[Media Protection\] Media Use + +## Control Statement + +- \[a.\] Restrict; Prohibit the use of organization-defined types of system media on organization-defined systems or system components using organization-defined controls; and -- \[a.\] \[mp-7_prm_1 = \['Restrict', 'Prohibit'\]\] the use of \[mp-7_prm_2 = organization-defined types of system media\] on \[mp-7_prm_3 = organization-defined systems or system components\] using \[mp-7_prm_4 = organization-defined controls\]; and - \[b.\] Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. +## Control Control Guidance + +System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2), which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices. + ______________________________________________________________________ -## mp-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement mp-7_smt.a +Add control implementation description here for item mp-7_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement mp-7_smt.b +Add control implementation description here for item mp-7_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-1.md b/ssp_author_demo/test_system/pe/pe-1.md index 084328c..ea9ea45 100644 --- a/ssp_author_demo/test_system/pe/pe-1.md +++ b/ssp_author_demo/test_system/pe/pe-1.md @@ -1,43 +1,55 @@ -# pe-1 - Physical and Environmental Protection Policy and Procedures +--- +sort-id: pe-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-1 - \[Physical and Environmental Protection\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[pe-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[pe-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] physical and environmental protection policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level physical and environmental protection policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; -- \[b.\] Designate an \[pe-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and - \[c.\] Review and update the current physical and environmental protection: - - \[1.\] Policy \[pe-1_prm_4 = organization-defined frequency\] and following \[pe-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[pe-1_prm_6 = organization-defined frequency\] and following \[pe-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## pe-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-1_smt.a +Add control implementation description here for item pe-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-1_smt.b +Add control implementation description here for item pe-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pe-1_smt.c +Add control implementation description here for item pe-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-12.md b/ssp_author_demo/test_system/pe/pe-12.md index d2ba62c..67d9810 100644 --- a/ssp_author_demo/test_system/pe/pe-12.md +++ b/ssp_author_demo/test_system/pe/pe-12.md @@ -1,11 +1,23 @@ -# pe-12 - Physical and Environmental Protection Emergency Lighting +--- +sort-id: pe-12 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-12 - \[Physical and Environmental Protection\] Emergency Lighting -- Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. +## Control Statement + +Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. + +## Control Control Guidance + +The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies. ______________________________________________________________________ -## pe-12 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control pe-12 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-13.md b/ssp_author_demo/test_system/pe/pe-13.md index a51b20e..38b2a0a 100644 --- a/ssp_author_demo/test_system/pe/pe-13.md +++ b/ssp_author_demo/test_system/pe/pe-13.md @@ -1,11 +1,23 @@ -# pe-13 - Physical and Environmental Protection Fire Protection +--- +sort-id: pe-13 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-13 - \[Physical and Environmental Protection\] Fire Protection -- Employ and maintain fire detection and suppression systems that are supported by an independent energy source. +## Control Statement + +Employ and maintain fire detection and suppression systems that are supported by an independent energy source. + +## Control Control Guidance + +The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility. ______________________________________________________________________ -## pe-13 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control pe-13 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-14.md b/ssp_author_demo/test_system/pe/pe-14.md index 25ad9ef..f78ce9a 100644 --- a/ssp_author_demo/test_system/pe/pe-14.md +++ b/ssp_author_demo/test_system/pe/pe-14.md @@ -1,24 +1,37 @@ -# pe-14 - Physical and Environmental Protection Environmental Controls +--- +sort-id: pe-14 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-14 - \[Physical and Environmental Protection\] Environmental Controls -- \[a.\] Maintain \[pe-14_prm_1 = one-or-more \['temperature', 'humidity', 'pressure', 'radiation', ' \[pe-14_prm_2 = organization-defined environmental control\] '\]\] levels within the facility where the system resides at \[pe-14_prm_3 = organization-defined acceptable levels\]; and -- \[b.\] Monitor environmental control levels \[pe-14_prm_4 = organization-defined frequency\]. +## Control Statement + +- \[a.\] Maintain temperature; humidity; pressure; radiation; {{ insert: param, pe-14_prm_2 }} levels within the facility where the system resides at organization-defined acceptable levels; and + +- \[b.\] Monitor environmental control levels organization-defined frequency. + +## Control Control Guidance + +The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions. ______________________________________________________________________ -## pe-14 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-14_smt.a +Add control implementation description here for item pe-14_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-14_smt.b +Add control implementation description here for item pe-14_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-15.md b/ssp_author_demo/test_system/pe/pe-15.md index 35971e2..e4eccd5 100644 --- a/ssp_author_demo/test_system/pe/pe-15.md +++ b/ssp_author_demo/test_system/pe/pe-15.md @@ -1,11 +1,23 @@ -# pe-15 - Physical and Environmental Protection Water Damage Protection +--- +sort-id: pe-15 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-15 - \[Physical and Environmental Protection\] Water Damage Protection -- Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. +## Control Statement + +Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. + +## Control Control Guidance + +The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations. ______________________________________________________________________ -## pe-15 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control pe-15 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-16.md b/ssp_author_demo/test_system/pe/pe-16.md index 80c7ebb..4b3836d 100644 --- a/ssp_author_demo/test_system/pe/pe-16.md +++ b/ssp_author_demo/test_system/pe/pe-16.md @@ -1,24 +1,37 @@ -# pe-16 - Physical and Environmental Protection Delivery and Removal +--- +sort-id: pe-16 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-16 - \[Physical and Environmental Protection\] Delivery and Removal + +## Control Statement + +- \[a.\] Authorize and control organization-defined types of system components entering and exiting the facility; and -- \[a.\] Authorize and control \[pe-16_prm_1 = organization-defined types of system components\] entering and exiting the facility; and - \[b.\] Maintain records of the system components. +## Control Control Guidance + +Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries. + ______________________________________________________________________ -## pe-16 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-16_smt.a +Add control implementation description here for item pe-16_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-16_smt.b +Add control implementation description here for item pe-16_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-2.md b/ssp_author_demo/test_system/pe/pe-2.md index a1bb5ea..c2f2ab7 100644 --- a/ssp_author_demo/test_system/pe/pe-2.md +++ b/ssp_author_demo/test_system/pe/pe-2.md @@ -1,38 +1,53 @@ -# pe-2 - Physical and Environmental Protection Physical Access Authorizations +--- +sort-id: pe-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-2 - \[Physical and Environmental Protection\] Physical Access Authorizations + +## Control Statement - \[a.\] Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; + - \[b.\] Issue authorization credentials for facility access; -- \[c.\] Review the access list detailing authorized facility access by individuals \[pe-2_prm_1 = organization-defined frequency\]; and + +- \[c.\] Review the access list detailing authorized facility access by individuals organization-defined frequency; and + - \[d.\] Remove individuals from the facility access list when access is no longer required. +## Control Control Guidance + +Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible. + ______________________________________________________________________ -## pe-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-2_smt.a +Add control implementation description here for item pe-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-2_smt.b +Add control implementation description here for item pe-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pe-2_smt.c +Add control implementation description here for item pe-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement pe-2_smt.d +Add control implementation description here for item pe-2_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-3.md b/ssp_author_demo/test_system/pe/pe-3.md index 60059d6..ee5291d 100644 --- a/ssp_author_demo/test_system/pe/pe-3.md +++ b/ssp_author_demo/test_system/pe/pe-3.md @@ -1,68 +1,80 @@ -# pe-3 - Physical and Environmental Protection Physical Access Control +--- +sort-id: pe-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-3 - \[Physical and Environmental Protection\] Physical Access Control -- \[a.\] Enforce physical access authorizations at \[pe-3_prm_1 = organization-defined entry and exit points to the facility where the system resides\] by: +## Control Statement + +- \[a.\] Enforce physical access authorizations at organization-defined entry and exit points to the facility where the system resides by: - \[1.\] Verifying individual access authorizations before granting access to the facility; and - - \[2.\] Controlling ingress and egress to the facility using \[pe-3_prm_2 = one-or-more \[' \[pe-3_prm_3 = organization-defined physical access control systems or devices\] ', 'guards'\]\]; + - \[2.\] Controlling ingress and egress to the facility using {{ insert: param, pe-3_prm_3 }} ; guards; -- \[b.\] Maintain physical access audit logs for \[pe-3_prm_4 = organization-defined entry or exit points\]; +- \[b.\] Maintain physical access audit logs for organization-defined entry or exit points; -- \[c.\] Control access to areas within the facility designated as publicly accessible by implementing the following controls: \[pe-3_prm_5 = organization-defined physical access controls\]; +- \[c.\] Control access to areas within the facility designated as publicly accessible by implementing the following controls: organization-defined physical access controls; -- \[d.\] Escort visitors and control visitor activity \[pe-3_prm_6 = organization-defined circumstances requiring visitor escorts and control of visitor activity\]; +- \[d.\] Escort visitors and control visitor activity organization-defined circumstances requiring visitor escorts and control of visitor activity; - \[e.\] Secure keys, combinations, and other physical access devices; -- \[f.\] Inventory \[pe-3_prm_7 = organization-defined physical access devices\] every \[pe-3_prm_8 = organization-defined frequency\]; and +- \[f.\] Inventory organization-defined physical access devices every organization-defined frequency; and + +- \[g.\] Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. -- \[g.\] Change combinations and keys \[pe-3_prm_9 = organization-defined frequency\] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. +## Control Control Guidance + +Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components. ______________________________________________________________________ -## pe-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-3_smt.a +Add control implementation description here for item pe-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-3_smt.b +Add control implementation description here for item pe-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pe-3_smt.c +Add control implementation description here for item pe-3_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement pe-3_smt.d +Add control implementation description here for item pe-3_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement pe-3_smt.e +Add control implementation description here for item pe-3_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement pe-3_smt.f +Add control implementation description here for item pe-3_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement pe-3_smt.g +Add control implementation description here for item pe-3_smt.g ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-6.md b/ssp_author_demo/test_system/pe/pe-6.md index bef9e71..1999226 100644 --- a/ssp_author_demo/test_system/pe/pe-6.md +++ b/ssp_author_demo/test_system/pe/pe-6.md @@ -1,31 +1,45 @@ -# pe-6 - Physical and Environmental Protection Monitoring Physical Access +--- +sort-id: pe-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-6 - \[Physical and Environmental Protection\] Monitoring Physical Access + +## Control Statement - \[a.\] Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; -- \[b.\] Review physical access logs \[pe-6_prm_1 = organization-defined frequency\] and upon occurrence of \[pe-6_prm_2 = organization-defined events or potential indications of events\]; and + +- \[b.\] Review physical access logs organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and + - \[c.\] Coordinate results of reviews and investigations with the organizational incident response capability. +## Control Control Guidance + +Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2), if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses. + ______________________________________________________________________ -## pe-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-6_smt.a +Add control implementation description here for item pe-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-6_smt.b +Add control implementation description here for item pe-6_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pe-6_smt.c +Add control implementation description here for item pe-6_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pe/pe-8.md b/ssp_author_demo/test_system/pe/pe-8.md index 1caaa3f..090aaf3 100644 --- a/ssp_author_demo/test_system/pe/pe-8.md +++ b/ssp_author_demo/test_system/pe/pe-8.md @@ -1,31 +1,45 @@ -# pe-8 - Physical and Environmental Protection Visitor Access Records +--- +sort-id: pe-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pe-8 - \[Physical and Environmental Protection\] Visitor Access Records -- \[a.\] Maintain visitor access records to the facility where the system resides for \[pe-8_prm_1 = organization-defined time period\]; -- \[b.\] Review visitor access records \[pe-8_prm_2 = organization-defined frequency\]; and -- \[c.\] Report anomalies in visitor access records to \[pe-8_prm_3 = organization-defined personnel\]. +## Control Statement + +- \[a.\] Maintain visitor access records to the facility where the system resides for organization-defined time period; + +- \[b.\] Review visitor access records organization-defined frequency; and + +- \[c.\] Report anomalies in visitor access records to organization-defined personnel. + +## Control Control Guidance + +Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas. ______________________________________________________________________ -## pe-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pe-8_smt.a +Add control implementation description here for item pe-8_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pe-8_smt.b +Add control implementation description here for item pe-8_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pe-8_smt.c +Add control implementation description here for item pe-8_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pl/pl-1.md b/ssp_author_demo/test_system/pl/pl-1.md index 209156c..2bed5e7 100644 --- a/ssp_author_demo/test_system/pl/pl-1.md +++ b/ssp_author_demo/test_system/pl/pl-1.md @@ -1,43 +1,55 @@ -# pl-1 - Planning Policy and Procedures +--- +sort-id: pl-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pl-1 - \[Planning\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[pl-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[pl-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] planning policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level planning policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the planning policy and the associated planning controls; -- \[b.\] Designate an \[pl-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the planning policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the planning policy and procedures; and - \[c.\] Review and update the current planning: - - \[1.\] Policy \[pl-1_prm_4 = organization-defined frequency\] and following \[pl-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[pl-1_prm_6 = organization-defined frequency\] and following \[pl-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## pl-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pl-1_smt.a +Add control implementation description here for item pl-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pl-1_smt.b +Add control implementation description here for item pl-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pl-1_smt.c +Add control implementation description here for item pl-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pl/pl-10.md b/ssp_author_demo/test_system/pl/pl-10.md index b1933fe..10a9068 100644 --- a/ssp_author_demo/test_system/pl/pl-10.md +++ b/ssp_author_demo/test_system/pl/pl-10.md @@ -1,11 +1,23 @@ -# pl-10 - Planning Baseline Selection +--- +sort-id: pl-10 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pl-10 - \[Planning\] Baseline Selection -- Select a control baseline for the system. +## Control Statement + +Select a control baseline for the system. + +## Control Control Guidance + +Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11)). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752). The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455). The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems. ______________________________________________________________________ -## pl-10 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control pl-10 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pl/pl-11.md b/ssp_author_demo/test_system/pl/pl-11.md index f69dcce..b36a992 100644 --- a/ssp_author_demo/test_system/pl/pl-11.md +++ b/ssp_author_demo/test_system/pl/pl-11.md @@ -1,11 +1,23 @@ -# pl-11 - Planning Baseline Tailoring +--- +sort-id: pl-11 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pl-11 - \[Planning\] Baseline Tailoring -- Tailor the selected control baseline by applying specified tailoring actions. +## Control Statement + +Tailor the selected control baseline by applying specified tailoring actions. + +## Control Control Guidance + +The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752). Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455), and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef). Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities. ______________________________________________________________________ -## pl-11 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control pl-11 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pl/pl-2.md b/ssp_author_demo/test_system/pl/pl-2.md index c431ef8..229dfdd 100644 --- a/ssp_author_demo/test_system/pl/pl-2.md +++ b/ssp_author_demo/test_system/pl/pl-2.md @@ -1,6 +1,12 @@ -# pl-2 - Planning System Security and Privacy Plans +--- +sort-id: pl-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pl-2 - \[Planning\] System Security and Privacy Plans + +## Control Statement - \[a.\] Develop security and privacy plans for the system that: @@ -17,49 +23,61 @@ - \[11.\] Identify any relevant control baselines or overlays, if applicable; - \[12.\] Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; - \[13.\] Include risk determinations for security and privacy architecture and design decisions; - - \[14.\] Include security- and privacy-related activities affecting the system that require planning and coordination with \[pl-2_prm_1 = organization-defined individuals or groups\]; and + - \[14.\] Include security- and privacy-related activities affecting the system that require planning and coordination with organization-defined individuals or groups; and - \[15.\] Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. -- \[b.\] Distribute copies of the plans and communicate subsequent changes to the plans to \[pl-2_prm_2 = organization-defined personnel or roles\]; +- \[b.\] Distribute copies of the plans and communicate subsequent changes to the plans to organization-defined personnel or roles; -- \[c.\] Review the plans \[pl-2_prm_3 = organization-defined frequency\]; +- \[c.\] Review the plans organization-defined frequency; - \[d.\] Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and - \[e.\] Protect the plans from unauthorized disclosure and modification. +## Control Control Guidance + +System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. + +Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. + +Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans. + +Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate. + ______________________________________________________________________ -## pl-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pl-2_smt.a +Add control implementation description here for item pl-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pl-2_smt.b +Add control implementation description here for item pl-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pl-2_smt.c +Add control implementation description here for item pl-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement pl-2_smt.d +Add control implementation description here for item pl-2_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement pl-2_smt.e +Add control implementation description here for item pl-2_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pl/pl-4.1.md b/ssp_author_demo/test_system/pl/pl-4.1.md index 5b7813d..cda709f 100644 --- a/ssp_author_demo/test_system/pl/pl-4.1.md +++ b/ssp_author_demo/test_system/pl/pl-4.1.md @@ -1,33 +1,47 @@ -# pl-4.1 - Planning Social Media and External Site/application Usage Restrictions +--- +sort-id: pl-04.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pl-4.1 - \[Planning\] Social Media and External Site/application Usage Restrictions -- Include in the rules of behavior, restrictions on: +## Control Statement - - \[(a)\] Use of social media, social networking sites, and external sites/applications; - - \[(b)\] Posting organizational information on public websites; and - - \[(c)\] Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. +Include in the rules of behavior, restrictions on: + +- \[(a)\] Use of social media, social networking sites, and external sites/applications; + +- \[(b)\] Posting organizational information on public websites; and + +- \[(c)\] Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. + +## Control Control Guidance + +Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information. ______________________________________________________________________ -## pl-4.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part (a) +## Implementation (a) -Add control implementation description here for statement pl-4.1_smt.a +Add control implementation description here for item pl-4.1_smt.a ______________________________________________________________________ -### Part (b) +## Implementation (b) -Add control implementation description here for statement pl-4.1_smt.b +Add control implementation description here for item pl-4.1_smt.b ______________________________________________________________________ -### Part (c) +## Implementation (c) -Add control implementation description here for statement pl-4.1_smt.c +Add control implementation description here for item pl-4.1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/pl/pl-4.md b/ssp_author_demo/test_system/pl/pl-4.md index 4ac6824..d4f2092 100644 --- a/ssp_author_demo/test_system/pl/pl-4.md +++ b/ssp_author_demo/test_system/pl/pl-4.md @@ -1,38 +1,53 @@ -# pl-4 - Planning Rules of Behavior +--- +sort-id: pl-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# pl-4 - \[Planning\] Rules of Behavior + +## Control Statement - \[a.\] Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; + - \[b.\] Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; -- \[c.\] Review and update the rules of behavior \[pl-4_prm_1 = organization-defined frequency\]; and -- \[d.\] Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge \[pl-4_prm_2 = one-or-more \[' \[pl-4_prm_3 = organization-defined frequency\] ', 'when the rules are revised or updated'\]\]. + +- \[c.\] Review and update the rules of behavior organization-defined frequency; and + +- \[d.\] Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-4_prm_3 }} ; when the rules are revised or updated. + +## Control Control Guidance + +Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6)). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8). The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b), the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons. ______________________________________________________________________ -## pl-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement pl-4_smt.a +Add control implementation description here for item pl-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement pl-4_smt.b +Add control implementation description here for item pl-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement pl-4_smt.c +Add control implementation description here for item pl-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement pl-4_smt.d +Add control implementation description here for item pl-4_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-1.md b/ssp_author_demo/test_system/ps/ps-1.md index 3dd9441..6ee51e8 100644 --- a/ssp_author_demo/test_system/ps/ps-1.md +++ b/ssp_author_demo/test_system/ps/ps-1.md @@ -1,43 +1,55 @@ -# ps-1 - Personnel Security Policy and Procedures +--- +sort-id: ps-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-1 - \[Personnel Security\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[ps-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[ps-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] personnel security policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level personnel security policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; -- \[b.\] Designate an \[ps-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the personnel security policy and procedures; and - \[c.\] Review and update the current personnel security: - - \[1.\] Policy \[ps-1_prm_4 = organization-defined frequency\] and following \[ps-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[ps-1_prm_6 = organization-defined frequency\] and following \[ps-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## ps-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-1_smt.a +Add control implementation description here for item ps-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-1_smt.b +Add control implementation description here for item ps-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ps-1_smt.c +Add control implementation description here for item ps-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-2.md b/ssp_author_demo/test_system/ps/ps-2.md index 995d97c..f2901e3 100644 --- a/ssp_author_demo/test_system/ps/ps-2.md +++ b/ssp_author_demo/test_system/ps/ps-2.md @@ -1,31 +1,45 @@ -# ps-2 - Personnel Security Position Risk Designation +--- +sort-id: ps-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-2 - \[Personnel Security\] Position Risk Designation + +## Control Statement - \[a.\] Assign a risk designation to all organizational positions; + - \[b.\] Establish screening criteria for individuals filling those positions; and -- \[c.\] Review and update position risk designations \[ps-2_prm_1 = organization-defined frequency\]. + +- \[c.\] Review and update position risk designations organization-defined frequency. + +## Control Control Guidance + +Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions. ______________________________________________________________________ -## ps-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-2_smt.a +Add control implementation description here for item ps-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-2_smt.b +Add control implementation description here for item ps-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ps-2_smt.c +Add control implementation description here for item ps-2_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-3.md b/ssp_author_demo/test_system/ps/ps-3.md index 017f87c..2d1fb4b 100644 --- a/ssp_author_demo/test_system/ps/ps-3.md +++ b/ssp_author_demo/test_system/ps/ps-3.md @@ -1,24 +1,37 @@ -# ps-3 - Personnel Security Personnel Screening +--- +sort-id: ps-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-3 - \[Personnel Security\] Personnel Screening + +## Control Statement - \[a.\] Screen individuals prior to authorizing access to the system; and -- \[b.\] Rescreen individuals in accordance with \[ps-3_prm_1 = organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening\]. + +- \[b.\] Rescreen individuals in accordance with organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening. + +## Control Control Guidance + +Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems. ______________________________________________________________________ -## ps-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-3_smt.a +Add control implementation description here for item ps-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-3_smt.b +Add control implementation description here for item ps-3_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-4.md b/ssp_author_demo/test_system/ps/ps-4.md index 5df603f..787de17 100644 --- a/ssp_author_demo/test_system/ps/ps-4.md +++ b/ssp_author_demo/test_system/ps/ps-4.md @@ -1,47 +1,63 @@ -# ps-4 - Personnel Security Personnel Termination +--- +sort-id: ps-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-4 - \[Personnel Security\] Personnel Termination -- Upon termination of individual employment: +## Control Statement - - \[a.\] Disable system access within \[ps-4_prm_1 = organization-defined time period\]; - - \[b.\] Terminate or revoke any authenticators and credentials associated with the individual; - - \[c.\] Conduct exit interviews that include a discussion of \[ps-4_prm_2 = organization-defined information security topics\]; - - \[d.\] Retrieve all security-related organizational system-related property; and - - \[e.\] Retain access to organizational information and systems formerly controlled by terminated individual. +Upon termination of individual employment: + +- \[a.\] Disable system access within organization-defined time period; + +- \[b.\] Terminate or revoke any authenticators and credentials associated with the individual; + +- \[c.\] Conduct exit interviews that include a discussion of organization-defined information security topics; + +- \[d.\] Retrieve all security-related organizational system-related property; and + +- \[e.\] Retain access to organizational information and systems formerly controlled by terminated individual. + +## Control Control Guidance + +System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified. ______________________________________________________________________ -## ps-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-4_smt.a +Add control implementation description here for item ps-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-4_smt.b +Add control implementation description here for item ps-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ps-4_smt.c +Add control implementation description here for item ps-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ps-4_smt.d +Add control implementation description here for item ps-4_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ps-4_smt.e +Add control implementation description here for item ps-4_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-5.md b/ssp_author_demo/test_system/ps/ps-5.md index 38ab5d4..be1ffd5 100644 --- a/ssp_author_demo/test_system/ps/ps-5.md +++ b/ssp_author_demo/test_system/ps/ps-5.md @@ -1,38 +1,53 @@ -# ps-5 - Personnel Security Personnel Transfer +--- +sort-id: ps-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-5 - \[Personnel Security\] Personnel Transfer + +## Control Statement - \[a.\] Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; -- \[b.\] Initiate \[ps-5_prm_1 = organization-defined transfer or reassignment actions\] within \[ps-5_prm_2 = organization-defined time period following the formal transfer action\]; + +- \[b.\] Initiate organization-defined transfer or reassignment actions within organization-defined time period following the formal transfer action; + - \[c.\] Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and -- \[d.\] Notify \[ps-5_prm_3 = organization-defined personnel or roles\] within \[ps-5_prm_4 = organization-defined time period\]. + +- \[d.\] Notify organization-defined personnel or roles within organization-defined time period. + +## Control Control Guidance + +Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. ______________________________________________________________________ -## ps-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-5_smt.a +Add control implementation description here for item ps-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-5_smt.b +Add control implementation description here for item ps-5_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ps-5_smt.c +Add control implementation description here for item ps-5_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ps-5_smt.d +Add control implementation description here for item ps-5_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-6.md b/ssp_author_demo/test_system/ps/ps-6.md index 5dfc6b4..25a704b 100644 --- a/ssp_author_demo/test_system/ps/ps-6.md +++ b/ssp_author_demo/test_system/ps/ps-6.md @@ -1,36 +1,48 @@ -# ps-6 - Personnel Security Access Agreements +--- +sort-id: ps-06 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-6 - \[Personnel Security\] Access Agreements + +## Control Statement - \[a.\] Develop and document access agreements for organizational systems; -- \[b.\] Review and update the access agreements \[ps-6_prm_1 = organization-defined frequency\]; and +- \[b.\] Review and update the access agreements organization-defined frequency; and - \[c.\] Verify that individuals requiring access to organizational information and systems: - \[1.\] Sign appropriate access agreements prior to being granted access; and - - \[2.\] Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or \[ps-6_prm_2 = organization-defined frequency\]. + - \[2.\] Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or organization-defined frequency. + +## Control Control Guidance + +Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. ______________________________________________________________________ -## ps-6 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-6_smt.a +Add control implementation description here for item ps-6_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-6_smt.b +Add control implementation description here for item ps-6_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ps-6_smt.c +Add control implementation description here for item ps-6_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-7.md b/ssp_author_demo/test_system/ps/ps-7.md index 976226a..8c6afd4 100644 --- a/ssp_author_demo/test_system/ps/ps-7.md +++ b/ssp_author_demo/test_system/ps/ps-7.md @@ -1,45 +1,61 @@ -# ps-7 - Personnel Security External Personnel Security +--- +sort-id: ps-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-7 - \[Personnel Security\] External Personnel Security + +## Control Statement - \[a.\] Establish personnel security requirements, including security roles and responsibilities for external providers; + - \[b.\] Require external providers to comply with personnel security policies and procedures established by the organization; + - \[c.\] Document personnel security requirements; -- \[d.\] Require external providers to notify \[ps-7_prm_1 = organization-defined personnel or roles\] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within \[ps-7_prm_2 = organization-defined time period\]; and + +- \[d.\] Require external providers to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within organization-defined time period; and + - \[e.\] Monitor provider compliance with personnel security requirements. +## Control Control Guidance + +External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals. + ______________________________________________________________________ -## ps-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-7_smt.a +Add control implementation description here for item ps-7_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-7_smt.b +Add control implementation description here for item ps-7_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ps-7_smt.c +Add control implementation description here for item ps-7_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ps-7_smt.d +Add control implementation description here for item ps-7_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ps-7_smt.e +Add control implementation description here for item ps-7_smt.e ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-8.md b/ssp_author_demo/test_system/ps/ps-8.md index d3a44ee..c7f6829 100644 --- a/ssp_author_demo/test_system/ps/ps-8.md +++ b/ssp_author_demo/test_system/ps/ps-8.md @@ -1,24 +1,37 @@ -# ps-8 - Personnel Security Personnel Sanctions +--- +sort-id: ps-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-8 - \[Personnel Security\] Personnel Sanctions + +## Control Statement - \[a.\] Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and -- \[b.\] Notify \[ps-8_prm_1 = organization-defined personnel or roles\] within \[ps-8_prm_2 = organization-defined time period\] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. + +- \[b.\] Notify organization-defined personnel or roles within organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. + +## Control Control Guidance + +Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. ______________________________________________________________________ -## ps-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ps-8_smt.a +Add control implementation description here for item ps-8_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ps-8_smt.b +Add control implementation description here for item ps-8_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ps/ps-9.md b/ssp_author_demo/test_system/ps/ps-9.md index ce3002c..842516d 100644 --- a/ssp_author_demo/test_system/ps/ps-9.md +++ b/ssp_author_demo/test_system/ps/ps-9.md @@ -1,11 +1,23 @@ -# ps-9 - Personnel Security Position Descriptions +--- +sort-id: ps-09 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ps-9 - \[Personnel Security\] Position Descriptions -- Incorporate security and privacy roles and responsibilities into organizational position descriptions. +## Control Statement + +Incorporate security and privacy roles and responsibilities into organizational position descriptions. + +## Control Control Guidance + +Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles. ______________________________________________________________________ -## ps-9 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ps-9 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-1.md b/ssp_author_demo/test_system/ra/ra-1.md index ca17e8a..a4f1fce 100644 --- a/ssp_author_demo/test_system/ra/ra-1.md +++ b/ssp_author_demo/test_system/ra/ra-1.md @@ -1,43 +1,55 @@ -# ra-1 - Risk Assessment Policy and Procedures +--- +sort-id: ra-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-1 - \[Risk Assessment\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[ra-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[ra-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] risk assessment policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level risk assessment policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; -- \[b.\] Designate an \[ra-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and - \[c.\] Review and update the current risk assessment: - - \[1.\] Policy \[ra-1_prm_4 = organization-defined frequency\] and following \[ra-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[ra-1_prm_6 = organization-defined frequency\] and following \[ra-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## ra-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ra-1_smt.a +Add control implementation description here for item ra-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ra-1_smt.b +Add control implementation description here for item ra-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ra-1_smt.c +Add control implementation description here for item ra-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-2.md b/ssp_author_demo/test_system/ra/ra-2.md index e865055..079ebd5 100644 --- a/ssp_author_demo/test_system/ra/ra-2.md +++ b/ssp_author_demo/test_system/ra/ra-2.md @@ -1,31 +1,49 @@ -# ra-2 - Risk Assessment Security Categorization +--- +sort-id: ra-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-2 - \[Risk Assessment\] Security Categorization + +## Control Statement - \[a.\] Categorize the system and information it processes, stores, and transmits; + - \[b.\] Document the security categorization results, including supporting rationale, in the security plan for the system; and + - \[c.\] Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. +## Control Control Guidance + +Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems. + +Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts. + +Security categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8), mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant. + ______________________________________________________________________ -## ra-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ra-2_smt.a +Add control implementation description here for item ra-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ra-2_smt.b +Add control implementation description here for item ra-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ra-2_smt.c +Add control implementation description here for item ra-2_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-3.1.md b/ssp_author_demo/test_system/ra/ra-3.1.md index bbc6bfe..219ad02 100644 --- a/ssp_author_demo/test_system/ra/ra-3.1.md +++ b/ssp_author_demo/test_system/ra/ra-3.1.md @@ -1,24 +1,37 @@ -# ra-3.1 - Risk Assessment Supply Chain Risk Assessment +--- +sort-id: ra-03.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-3.1 - \[Risk Assessment\] Supply Chain Risk Assessment -- \[(a)\] Assess supply chain risks associated with \[ra-3.1_prm_1 = organization-defined systems, system components, and system services\]; and -- \[(b)\] Update the supply chain risk assessment \[ra-3.1_prm_2 = organization-defined frequency\], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. +## Control Statement + +- \[(a)\] Assess supply chain risks associated with organization-defined systems, system components, and system services; and + +- \[(b)\] Update the supply chain risk assessment organization-defined frequency, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. + +## Control Control Guidance + +Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required. ______________________________________________________________________ -## ra-3.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part (a) +## Implementation (a) -Add control implementation description here for statement ra-3.1_smt.a +Add control implementation description here for item ra-3.1_smt.a ______________________________________________________________________ -### Part (b) +## Implementation (b) -Add control implementation description here for statement ra-3.1_smt.b +Add control implementation description here for item ra-3.1_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-3.md b/ssp_author_demo/test_system/ra/ra-3.md index 093b2f6..8152b69 100644 --- a/ssp_author_demo/test_system/ra/ra-3.md +++ b/ssp_author_demo/test_system/ra/ra-3.md @@ -1,6 +1,12 @@ -# ra-3 - Risk Assessment Risk Assessment +--- +sort-id: ra-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-3 - \[Risk Assessment\] Risk Assessment + +## Control Statement - \[a.\] Conduct a risk assessment, including: @@ -10,52 +16,62 @@ - \[b.\] Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; -- \[c.\] Document risk assessment results in \[ra-3_prm_1 = \['security and privacy plans', 'risk assessment report', ' \[ra-3_prm_2 = organization-defined document\] '\]\]; +- \[c.\] Document risk assessment results in security and privacy plans; risk assessment report; {{ insert: param, ra-3_prm_2 }} ; + +- \[d.\] Review risk assessment results organization-defined frequency; + +- \[e.\] Disseminate risk assessment results to organization-defined personnel or roles; and -- \[d.\] Review risk assessment results \[ra-3_prm_3 = organization-defined frequency\]; +- \[f.\] Update the risk assessment organization-defined frequency or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. -- \[e.\] Disseminate risk assessment results to \[ra-3_prm_4 = organization-defined personnel or roles\]; and +## Control Control Guidance -- \[f.\] Update the risk assessment \[ra-3_prm_5 = organization-defined frequency\] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. +Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities. + +Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. + +Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination. ______________________________________________________________________ -## ra-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ra-3_smt.a +Add control implementation description here for item ra-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ra-3_smt.b +Add control implementation description here for item ra-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ra-3_smt.c +Add control implementation description here for item ra-3_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ra-3_smt.d +Add control implementation description here for item ra-3_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ra-3_smt.e +Add control implementation description here for item ra-3_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ra-3_smt.f +Add control implementation description here for item ra-3_smt.f ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-5.11.md b/ssp_author_demo/test_system/ra/ra-5.11.md index 5f2897f..8cf3f52 100644 --- a/ssp_author_demo/test_system/ra/ra-5.11.md +++ b/ssp_author_demo/test_system/ra/ra-5.11.md @@ -1,11 +1,23 @@ -# ra-5.11 - Risk Assessment Public Disclosure Program +--- +sort-id: ra-05.11 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-5.11 - \[Risk Assessment\] Public Disclosure Program -- Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. +## Control Statement + +Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. + +## Control Control Guidance + +The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability. ______________________________________________________________________ -## ra-5.11 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ra-5.11 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-5.2.md b/ssp_author_demo/test_system/ra/ra-5.2.md index 19e2e46..5e70db2 100644 --- a/ssp_author_demo/test_system/ra/ra-5.2.md +++ b/ssp_author_demo/test_system/ra/ra-5.2.md @@ -1,11 +1,23 @@ -# ra-5.2 - Risk Assessment Update Vulnerabilities to Be Scanned +--- +sort-id: ra-05.02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-5.2 - \[Risk Assessment\] Update Vulnerabilities to Be Scanned -- Update the system vulnerabilities to be scanned \[ra-5.2_prm_1 = one-or-more \[' \[ra-5.2_prm_2 = organization-defined frequency\] ', 'prior to a new scan', 'when new vulnerabilities are identified and reported'\]\]. +## Control Statement + +Update the system vulnerabilities to be scanned organization-defined frequency ; prior to a new scan; when new vulnerabilities are identified and reported. + +## Control Control Guidance + +Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner. ______________________________________________________________________ -## ra-5.2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ra-5.2 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-5.md b/ssp_author_demo/test_system/ra/ra-5.md index 24c460d..3d41851 100644 --- a/ssp_author_demo/test_system/ra/ra-5.md +++ b/ssp_author_demo/test_system/ra/ra-5.md @@ -1,8 +1,14 @@ -# ra-5 - Risk Assessment Vulnerability Monitoring and Scanning +--- +sort-id: ra-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-5 - \[Risk Assessment\] Vulnerability Monitoring and Scanning -- \[a.\] Monitor and scan for vulnerabilities in the system and hosted applications \[ra-5_prm_1 = organization-defined frequency and/or randomly in accordance with organization-defined process\] and when new vulnerabilities potentially affecting the system are identified and reported; +## Control Statement + +- \[a.\] Monitor and scan for vulnerabilities in the system and hosted applications organization-defined frequency and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported; - \[b.\] Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: @@ -12,50 +18,62 @@ - \[c.\] Analyze vulnerability scan reports and results from vulnerability monitoring; -- \[d.\] Remediate legitimate vulnerabilities \[ra-5_prm_2 = organization-defined response times\] in accordance with an organizational assessment of risk; +- \[d.\] Remediate legitimate vulnerabilities organization-defined response times in accordance with an organizational assessment of risk; -- \[e.\] Share information obtained from the vulnerability monitoring process and control assessments with \[ra-5_prm_3 = organization-defined personnel or roles\] to help eliminate similar vulnerabilities in other systems; and +- \[e.\] Share information obtained from the vulnerability monitoring process and control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other systems; and - \[f.\] Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. +## Control Control Guidance + +Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. + +Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). + +Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. + +Organizations may also employ the use of financial incentives (also known as "bug bounties") to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points. + ______________________________________________________________________ -## ra-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement ra-5_smt.a +Add control implementation description here for item ra-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ra-5_smt.b +Add control implementation description here for item ra-5_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ra-5_smt.c +Add control implementation description here for item ra-5_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement ra-5_smt.d +Add control implementation description here for item ra-5_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement ra-5_smt.e +Add control implementation description here for item ra-5_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement ra-5_smt.f +Add control implementation description here for item ra-5_smt.f ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ra/ra-7.md b/ssp_author_demo/test_system/ra/ra-7.md index 73b0a8f..1475489 100644 --- a/ssp_author_demo/test_system/ra/ra-7.md +++ b/ssp_author_demo/test_system/ra/ra-7.md @@ -1,11 +1,23 @@ -# ra-7 - Risk Assessment Risk Response +--- +sort-id: ra-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# ra-7 - \[Risk Assessment\] Risk Response -- Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. +## Control Statement + +Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. + +## Control Control Guidance + +Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated. ______________________________________________________________________ -## ra-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control ra-7 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-1.md b/ssp_author_demo/test_system/sa/sa-1.md index dc9e826..8b330eb 100644 --- a/ssp_author_demo/test_system/sa/sa-1.md +++ b/ssp_author_demo/test_system/sa/sa-1.md @@ -1,43 +1,55 @@ -# sa-1 - System and Services Acquisition Policy and Procedures +--- +sort-id: sa-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-1 - \[System and Services Acquisition\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[sa-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[sa-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] system and services acquisition policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level system and services acquisition policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; -- \[b.\] Designate an \[sa-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and - \[c.\] Review and update the current system and services acquisition: - - \[1.\] Policy \[sa-1_prm_4 = organization-defined frequency\] and following \[sa-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[sa-1_prm_6 = organization-defined frequency\] and following \[sa-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## sa-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-1_smt.a +Add control implementation description here for item sa-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-1_smt.b +Add control implementation description here for item sa-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sa-1_smt.c +Add control implementation description here for item sa-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-2.md b/ssp_author_demo/test_system/sa/sa-2.md index 84dd19c..0d17881 100644 --- a/ssp_author_demo/test_system/sa/sa-2.md +++ b/ssp_author_demo/test_system/sa/sa-2.md @@ -1,31 +1,45 @@ -# sa-2 - System and Services Acquisition Allocation of Resources +--- +sort-id: sa-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-2 - \[System and Services Acquisition\] Allocation of Resources + +## Control Statement - \[a.\] Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; + - \[b.\] Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and + - \[c.\] Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. +## Control Control Guidance + +Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle. + ______________________________________________________________________ -## sa-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-2_smt.a +Add control implementation description here for item sa-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-2_smt.b +Add control implementation description here for item sa-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sa-2_smt.c +Add control implementation description here for item sa-2_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-22.md b/ssp_author_demo/test_system/sa/sa-22.md index 6f13bd6..60f4abe 100644 --- a/ssp_author_demo/test_system/sa/sa-22.md +++ b/ssp_author_demo/test_system/sa/sa-22.md @@ -1,24 +1,39 @@ -# sa-22 - System and Services Acquisition Unsupported System Components +--- +sort-id: sa-22 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-22 - \[System and Services Acquisition\] Unsupported System Components + +## Control Statement - \[a.\] Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or -- \[b.\] Provide the following options for alternative sources for continued support for unsupported components \[sa-22_prm_1 = one-or-more \['in-house support', ' \[sa-22_prm_2 = organization-defined support from external providers\] '\]\]. + +- \[b.\] Provide the following options for alternative sources for continued support for unsupported components in-house support; {{ insert: param, sa-22_prm_2 }} . + +## Control Control Guidance + +Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. + +Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation. ______________________________________________________________________ -## sa-22 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-22_smt.a +Add control implementation description here for item sa-22_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-22_smt.b +Add control implementation description here for item sa-22_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-3.md b/ssp_author_demo/test_system/sa/sa-3.md index 7cdca97..234e5b7 100644 --- a/ssp_author_demo/test_system/sa/sa-3.md +++ b/ssp_author_demo/test_system/sa/sa-3.md @@ -1,38 +1,55 @@ -# sa-3 - System and Services Acquisition System Development Life Cycle +--- +sort-id: sa-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-3 - \[System and Services Acquisition\] System Development Life Cycle + +## Control Statement + +- \[a.\] Acquire, develop, and manage the system using organization-defined system development life cycle that incorporates information security and privacy considerations; -- \[a.\] Acquire, develop, and manage the system using \[sa-3_prm_1 = organization-defined system development life cycle\] that incorporates information security and privacy considerations; - \[b.\] Define and document information security and privacy roles and responsibilities throughout the system development life cycle; + - \[c.\] Identify individuals having information security and privacy roles and responsibilities; and + - \[d.\] Integrate the organizational information security and privacy risk management process into system development life cycle activities. +## Control Control Guidance + +A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. + +The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle. + ______________________________________________________________________ -## sa-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-3_smt.a +Add control implementation description here for item sa-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-3_smt.b +Add control implementation description here for item sa-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sa-3_smt.c +Add control implementation description here for item sa-3_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement sa-3_smt.d +Add control implementation description here for item sa-3_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-4.10.md b/ssp_author_demo/test_system/sa/sa-4.10.md index 0574640..bd45009 100644 --- a/ssp_author_demo/test_system/sa/sa-4.10.md +++ b/ssp_author_demo/test_system/sa/sa-4.10.md @@ -1,11 +1,23 @@ -# sa-4.10 - System and Services Acquisition Use of Approved PIV Products +--- +sort-id: sa-04.10 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-4.10 - \[System and Services Acquisition\] Use of Approved PIV Products -- Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. +## Control Statement + +Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. + +## Control Control Guidance + +Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations. ______________________________________________________________________ -## sa-4.10 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sa-4.10 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-4.md b/ssp_author_demo/test_system/sa/sa-4.md index 009a61d..d4bdd7e 100644 --- a/ssp_author_demo/test_system/sa/sa-4.md +++ b/ssp_author_demo/test_system/sa/sa-4.md @@ -1,75 +1,99 @@ -# sa-4 - System and Services Acquisition Acquisition Process +--- +sort-id: sa-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-4 - \[System and Services Acquisition\] Acquisition Process -- Include the following requirements, descriptions, and criteria, explicitly or by reference, using \[sa-4_prm_1 = one-or-more \['standardized contract language', ' \[sa-4_prm_2 = organization-defined contract language\] '\]\] in the acquisition contract for the system, system component, or system service: +## Control Statement - - \[a.\] Security and privacy functional requirements; - - \[b.\] Strength of mechanism requirements; - - \[c.\] Security and privacy assurance requirements; - - \[d.\] Controls needed to satisfy the security and privacy requirements. - - \[e.\] Security and privacy documentation requirements; - - \[f.\] Requirements for protecting security and privacy documentation; - - \[g.\] Description of the system development environment and environment in which the system is intended to operate; - - \[h.\] Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and - - \[i.\] Acceptance criteria. +Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language; {{ insert: param, sa-4_prm_2 }} in the acquisition contract for the system, system component, or system service: + +- \[a.\] Security and privacy functional requirements; + +- \[b.\] Strength of mechanism requirements; + +- \[c.\] Security and privacy assurance requirements; + +- \[d.\] Controls needed to satisfy the security and privacy requirements. + +- \[e.\] Security and privacy documentation requirements; + +- \[f.\] Requirements for protecting security and privacy documentation; + +- \[g.\] Description of the system development environment and environment in which the system is intended to operate; + +- \[h.\] Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and + +- \[i.\] Acceptance criteria. + +## Control Control Guidance + +Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2). The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle. + +Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. + +Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement. ______________________________________________________________________ -## sa-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-4_smt.a +Add control implementation description here for item sa-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-4_smt.b +Add control implementation description here for item sa-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sa-4_smt.c +Add control implementation description here for item sa-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement sa-4_smt.d +Add control implementation description here for item sa-4_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement sa-4_smt.e +Add control implementation description here for item sa-4_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement sa-4_smt.f +Add control implementation description here for item sa-4_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement sa-4_smt.g +Add control implementation description here for item sa-4_smt.g ______________________________________________________________________ -### Part h. +## Implementation h. -Add control implementation description here for statement sa-4_smt.h +Add control implementation description here for item sa-4_smt.h ______________________________________________________________________ -### Part i. +## Implementation i. -Add control implementation description here for statement sa-4_smt.i +Add control implementation description here for item sa-4_smt.i ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-5.md b/ssp_author_demo/test_system/sa/sa-5.md index 73406e2..885d54d 100644 --- a/ssp_author_demo/test_system/sa/sa-5.md +++ b/ssp_author_demo/test_system/sa/sa-5.md @@ -1,6 +1,12 @@ -# sa-5 - System and Services Acquisition System Documentation +--- +sort-id: sa-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-5 - \[System and Services Acquisition\] System Documentation + +## Control Statement - \[a.\] Obtain or develop administrator documentation for the system, system component, or system service that describes: @@ -14,36 +20,42 @@ - \[2.\] Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and - \[3.\] User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; -- \[c.\] Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take \[sa-5_prm_1 = organization-defined actions\] in response; and +- \[c.\] Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take organization-defined actions in response; and + +- \[d.\] Distribute documentation to organization-defined personnel or roles. -- \[d.\] Distribute documentation to \[sa-5_prm_2 = organization-defined personnel or roles\]. +## Control Control Guidance + +System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. ______________________________________________________________________ -## sa-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-5_smt.a +Add control implementation description here for item sa-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-5_smt.b +Add control implementation description here for item sa-5_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sa-5_smt.c +Add control implementation description here for item sa-5_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement sa-5_smt.d +Add control implementation description here for item sa-5_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-8.md b/ssp_author_demo/test_system/sa/sa-8.md index befccf8..de094ff 100644 --- a/ssp_author_demo/test_system/sa/sa-8.md +++ b/ssp_author_demo/test_system/sa/sa-8.md @@ -1,11 +1,27 @@ -# sa-8 - System and Services Acquisition Security and Privacy Engineering Principles +--- +sort-id: sa-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-8 - \[System and Services Acquisition\] Security and Privacy Engineering Principles -- Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: \[sa-8_prm_1 = organization-defined systems security and privacy engineering principles\]. +## Control Statement + +Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: organization-defined systems security and privacy engineering principles. + +## Control Control Guidance + +Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3)). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. + +The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. + +Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design. ______________________________________________________________________ -## sa-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sa-8 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sa/sa-9.md b/ssp_author_demo/test_system/sa/sa-9.md index 2bd8e27..5368052 100644 --- a/ssp_author_demo/test_system/sa/sa-9.md +++ b/ssp_author_demo/test_system/sa/sa-9.md @@ -1,31 +1,45 @@ -# sa-9 - System and Services Acquisition External System Services +--- +sort-id: sa-09 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sa-9 - \[System and Services Acquisition\] External System Services + +## Control Statement + +- \[a.\] Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: organization-defined controls; -- \[a.\] Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: \[sa-9_prm_1 = organization-defined controls\]; - \[b.\] Define and document organizational oversight and user roles and responsibilities with regard to external system services; and -- \[c.\] Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: \[sa-9_prm_2 = organization-defined processes, methods, and techniques\]. + +- \[c.\] Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: organization-defined processes, methods, and techniques. + +## Control Control Guidance + +External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. ______________________________________________________________________ -## sa-9 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sa-9_smt.a +Add control implementation description here for item sa-9_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sa-9_smt.b +Add control implementation description here for item sa-9_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sa-9_smt.c +Add control implementation description here for item sa-9_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-1.md b/ssp_author_demo/test_system/sc/sc-1.md index 42adf7a..f08cf2a 100644 --- a/ssp_author_demo/test_system/sc/sc-1.md +++ b/ssp_author_demo/test_system/sc/sc-1.md @@ -1,43 +1,55 @@ -# sc-1 - System and Communications Protection Policy and Procedures +--- +sort-id: sc-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-1 - \[System and Communications Protection\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[sc-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[sc-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] system and communications protection policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level system and communications protection policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; -- \[b.\] Designate an \[sc-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and - \[c.\] Review and update the current system and communications protection: - - \[1.\] Policy \[sc-1_prm_4 = organization-defined frequency\] and following \[sc-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[sc-1_prm_6 = organization-defined frequency\] and following \[sc-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## sc-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sc-1_smt.a +Add control implementation description here for item sc-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sc-1_smt.b +Add control implementation description here for item sc-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sc-1_smt.c +Add control implementation description here for item sc-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-12.md b/ssp_author_demo/test_system/sc/sc-12.md index 009f4b0..80fc70b 100644 --- a/ssp_author_demo/test_system/sc/sc-12.md +++ b/ssp_author_demo/test_system/sc/sc-12.md @@ -1,11 +1,23 @@ -# sc-12 - System and Communications Protection Cryptographic Key Establishment and Management +--- +sort-id: sc-12 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-12 - \[System and Communications Protection\] Cryptographic Key Establishment and Management -- Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: \[sc-12_prm_1 = organization-defined requirements for key generation, distribution, storage, access, and destruction\]. +## Control Statement + +Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: organization-defined requirements for key generation, distribution, storage, access, and destruction. + +## Control Control Guidance + +Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. ______________________________________________________________________ -## sc-12 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sc-12 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-13.md b/ssp_author_demo/test_system/sc/sc-13.md index 0ff0448..2a6373d 100644 --- a/ssp_author_demo/test_system/sc/sc-13.md +++ b/ssp_author_demo/test_system/sc/sc-13.md @@ -1,24 +1,37 @@ -# sc-13 - System and Communications Protection Cryptographic Protection +--- +sort-id: sc-13 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-13 - \[System and Communications Protection\] Cryptographic Protection -- \[a.\] Determine the \[sc-13_prm_1 = organization-defined cryptographic uses\]; and -- \[b.\] Implement the following types of cryptography required for each specified cryptographic use: \[sc-13_prm_2 = organization-defined types of cryptography for each specified cryptographic use\]. +## Control Statement + +- \[a.\] Determine the organization-defined cryptographic uses; and + +- \[b.\] Implement the following types of cryptography required for each specified cryptographic use: organization-defined types of cryptography for each specified cryptographic use. + +## Control Control Guidance + +Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. ______________________________________________________________________ -## sc-13 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sc-13_smt.a +Add control implementation description here for item sc-13_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sc-13_smt.b +Add control implementation description here for item sc-13_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-15.md b/ssp_author_demo/test_system/sc/sc-15.md index 32f79fc..408ed44 100644 --- a/ssp_author_demo/test_system/sc/sc-15.md +++ b/ssp_author_demo/test_system/sc/sc-15.md @@ -1,24 +1,37 @@ -# sc-15 - System and Communications Protection Collaborative Computing Devices and Applications +--- +sort-id: sc-15 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-15 - \[System and Communications Protection\] Collaborative Computing Devices and Applications + +## Control Statement + +- \[a.\] Prohibit remote activation of collaborative computing devices and applications with the following exceptions: organization-defined exceptions where remote activation is to be allowed; and -- \[a.\] Prohibit remote activation of collaborative computing devices and applications with the following exceptions: \[sc-15_prm_1 = organization-defined exceptions where remote activation is to be allowed\]; and - \[b.\] Provide an explicit indication of use to users physically present at the devices. +## Control Control Guidance + +Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated. + ______________________________________________________________________ -## sc-15 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sc-15_smt.a +Add control implementation description here for item sc-15_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sc-15_smt.b +Add control implementation description here for item sc-15_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-20.md b/ssp_author_demo/test_system/sc/sc-20.md index 567fbc7..a96c092 100644 --- a/ssp_author_demo/test_system/sc/sc-20.md +++ b/ssp_author_demo/test_system/sc/sc-20.md @@ -1,24 +1,37 @@ -# sc-20 - System and Communications Protection Secure Name/address Resolution Service (authoritative Source) +--- +sort-id: sc-20 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-20 - \[System and Communications Protection\] Secure Name/address Resolution Service (authoritative Source) + +## Control Statement - \[a.\] Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and + - \[b.\] Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. +## Control Control Guidance + +Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data. + ______________________________________________________________________ -## sc-20 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sc-20_smt.a +Add control implementation description here for item sc-20_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sc-20_smt.b +Add control implementation description here for item sc-20_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-21.md b/ssp_author_demo/test_system/sc/sc-21.md index e97362d..676e601 100644 --- a/ssp_author_demo/test_system/sc/sc-21.md +++ b/ssp_author_demo/test_system/sc/sc-21.md @@ -1,11 +1,23 @@ -# sc-21 - System and Communications Protection Secure Name/address Resolution Service (recursive or Caching Resolver) +--- +sort-id: sc-21 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-21 - \[System and Communications Protection\] Secure Name/address Resolution Service (recursive or Caching Resolver) -- Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. +## Control Statement + +Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. + +## Control Control Guidance + +Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data. ______________________________________________________________________ -## sc-21 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sc-21 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-22.md b/ssp_author_demo/test_system/sc/sc-22.md index 4a5d407..ded6a6a 100644 --- a/ssp_author_demo/test_system/sc/sc-22.md +++ b/ssp_author_demo/test_system/sc/sc-22.md @@ -1,11 +1,23 @@ -# sc-22 - System and Communications Protection Architecture and Provisioning for Name/address Resolution Service +--- +sort-id: sc-22 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-22 - \[System and Communications Protection\] Architecture and Provisioning for Name/address Resolution Service -- Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. +## Control Statement + +Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. + +## Control Control Guidance + +Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists). ______________________________________________________________________ -## sc-22 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sc-22 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-39.md b/ssp_author_demo/test_system/sc/sc-39.md index 1ae9c50..0c3d644 100644 --- a/ssp_author_demo/test_system/sc/sc-39.md +++ b/ssp_author_demo/test_system/sc/sc-39.md @@ -1,11 +1,23 @@ -# sc-39 - System and Communications Protection Process Isolation +--- +sort-id: sc-39 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-39 - \[System and Communications Protection\] Process Isolation -- Maintain a separate execution domain for each executing system process. +## Control Statement + +Maintain a separate execution domain for each executing system process. + +## Control Control Guidance + +Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies. ______________________________________________________________________ -## sc-39 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sc-39 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-5.md b/ssp_author_demo/test_system/sc/sc-5.md index b1a5df4..a522147 100644 --- a/ssp_author_demo/test_system/sc/sc-5.md +++ b/ssp_author_demo/test_system/sc/sc-5.md @@ -1,24 +1,37 @@ -# sc-5 - System and Communications Protection Denial-of-service Protection +--- +sort-id: sc-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-5 - \[System and Communications Protection\] Denial-of-service Protection -- \[a.\] \[sc-5_prm_1 = \['Protect against', 'Limit'\]\] the effects of the following types of denial-of-service events: \[sc-5_prm_2 = organization-defined types of denial-of-service events\]; and -- \[b.\] Employ the following controls to achieve the denial-of-service objective: \[sc-5_prm_3 = organization-defined controls by type of denial-of-service event\]. +## Control Statement + +- \[a.\] Protect against; Limit the effects of the following types of denial-of-service events: organization-defined types of denial-of-service events; and + +- \[b.\] Employ the following controls to achieve the denial-of-service objective: organization-defined controls by type of denial-of-service event. + +## Control Control Guidance + +Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events. ______________________________________________________________________ -## sc-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sc-5_smt.a +Add control implementation description here for item sc-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sc-5_smt.b +Add control implementation description here for item sc-5_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sc/sc-7.md b/ssp_author_demo/test_system/sc/sc-7.md index 84d43df..30d4eac 100644 --- a/ssp_author_demo/test_system/sc/sc-7.md +++ b/ssp_author_demo/test_system/sc/sc-7.md @@ -1,31 +1,45 @@ -# sc-7 - System and Communications Protection Boundary Protection +--- +sort-id: sc-07 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sc-7 - \[System and Communications Protection\] Boundary Protection + +## Control Statement - \[a.\] Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; -- \[b.\] Implement subnetworks for publicly accessible system components that are \[sc-7_prm_1 = \['physically', 'logically'\]\] separated from internal organizational networks; and + +- \[b.\] Implement subnetworks for publicly accessible system components that are physically; logically separated from internal organizational networks; and + - \[c.\] Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. +## Control Control Guidance + +Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). + ______________________________________________________________________ -## sc-7 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sc-7_smt.a +Add control implementation description here for item sc-7_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sc-7_smt.b +Add control implementation description here for item sc-7_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sc-7_smt.c +Add control implementation description here for item sc-7_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/si/si-1.md b/ssp_author_demo/test_system/si/si-1.md index 919354b..48517ec 100644 --- a/ssp_author_demo/test_system/si/si-1.md +++ b/ssp_author_demo/test_system/si/si-1.md @@ -1,43 +1,55 @@ -# si-1 - System and Information Integrity Policy and Procedures +--- +sort-id: si-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# si-1 - \[System and Information Integrity\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[si-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[si-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] system and information integrity policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level system and information integrity policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; -- \[b.\] Designate an \[si-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and - \[c.\] Review and update the current system and information integrity: - - \[1.\] Policy \[si-1_prm_4 = organization-defined frequency\] and following \[si-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[si-1_prm_6 = organization-defined frequency\] and following \[si-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## si-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement si-1_smt.a +Add control implementation description here for item si-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement si-1_smt.b +Add control implementation description here for item si-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement si-1_smt.c +Add control implementation description here for item si-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/si/si-12.md b/ssp_author_demo/test_system/si/si-12.md index f6973f6..84dc655 100644 --- a/ssp_author_demo/test_system/si/si-12.md +++ b/ssp_author_demo/test_system/si/si-12.md @@ -1,11 +1,23 @@ -# si-12 - System and Information Integrity Information Management and Retention +--- +sort-id: si-12 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# si-12 - \[System and Information Integrity\] Information Management and Retention -- Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. +## Control Statement + +Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. + +## Control Control Guidance + +Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8). ______________________________________________________________________ -## si-12 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control si-12 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/si/si-2.md b/ssp_author_demo/test_system/si/si-2.md index c195bbf..1a2f06c 100644 --- a/ssp_author_demo/test_system/si/si-2.md +++ b/ssp_author_demo/test_system/si/si-2.md @@ -1,38 +1,55 @@ -# si-2 - System and Information Integrity Flaw Remediation +--- +sort-id: si-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# si-2 - \[System and Information Integrity\] Flaw Remediation + +## Control Statement - \[a.\] Identify, report, and correct system flaws; + - \[b.\] Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; -- \[c.\] Install security-relevant software and firmware updates within \[si-2_prm_1 = organization-defined time period\] of the release of the updates; and + +- \[c.\] Install security-relevant software and firmware updates within organization-defined time period of the release of the updates; and + - \[d.\] Incorporate flaw remediation into the organizational configuration management process. +## Control Control Guidance + +The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. + +Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. + ______________________________________________________________________ -## si-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement si-2_smt.a +Add control implementation description here for item si-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement si-2_smt.b +Add control implementation description here for item si-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement si-2_smt.c +Add control implementation description here for item si-2_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement si-2_smt.d +Add control implementation description here for item si-2_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/si/si-3.md b/ssp_author_demo/test_system/si/si-3.md index 15cff46..54367dc 100644 --- a/ssp_author_demo/test_system/si/si-3.md +++ b/ssp_author_demo/test_system/si/si-3.md @@ -1,44 +1,60 @@ -# si-3 - System and Information Integrity Malicious Code Protection +--- +sort-id: si-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# si-3 - \[System and Information Integrity\] Malicious Code Protection -- \[a.\] Implement \[si-3_prm_1 = one-or-more \['signature based', 'non-signature based'\]\] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; +## Control Statement + +- \[a.\] Implement signature based; non-signature based malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; - \[b.\] Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; - \[c.\] Configure malicious code protection mechanisms to: - - \[1.\] Perform periodic scans of the system \[si-3_prm_2 = organization-defined frequency\] and real-time scans of files from external sources at \[si-3_prm_3 = one-or-more \['endpoint', 'network entry and exit points'\]\] as the files are downloaded, opened, or executed in accordance with organizational policy; and - - \[2.\] \[si-3_prm_4 = one-or-more \['block malicious code', 'quarantine malicious code', 'take \[si-3_prm_5 = organization-defined action\] '\]\]; and send alert to \[si-3_prm_6 = organization-defined personnel or roles\] in response to malicious code detection; and + - \[1.\] Perform periodic scans of the system organization-defined frequency and real-time scans of files from external sources at endpoint; network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy; and + - \[2.\] block malicious code; quarantine malicious code; take {{ insert: param, si-3_prm_5 }} ; and send alert to organization-defined personnel or roles in response to malicious code detection; and - \[d.\] Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. +## Control Control Guidance + +System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. + +Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. + +In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. + ______________________________________________________________________ -## si-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement si-3_smt.a +Add control implementation description here for item si-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement si-3_smt.b +Add control implementation description here for item si-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement si-3_smt.c +Add control implementation description here for item si-3_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement si-3_smt.d +Add control implementation description here for item si-3_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/si/si-4.md b/ssp_author_demo/test_system/si/si-4.md index 502834e..5a49098 100644 --- a/ssp_author_demo/test_system/si/si-4.md +++ b/ssp_author_demo/test_system/si/si-4.md @@ -1,13 +1,19 @@ -# si-4 - System and Information Integrity System Monitoring +--- +sort-id: si-04 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# si-4 - \[System and Information Integrity\] System Monitoring + +## Control Statement - \[a.\] Monitor the system to detect: - - \[1.\] Attacks and indicators of potential attacks in accordance with the following monitoring objectives: \[si-4_prm_1 = organization-defined monitoring objectives\]; and + - \[1.\] Attacks and indicators of potential attacks in accordance with the following monitoring objectives: organization-defined monitoring objectives; and - \[2.\] Unauthorized local, network, and remote connections; -- \[b.\] Identify unauthorized use of the system through the following techniques and methods: \[si-4_prm_2 = organization-defined techniques and methods\]; +- \[b.\] Identify unauthorized use of the system through the following techniques and methods: organization-defined techniques and methods; - \[c.\] Invoke internal monitoring capabilities or deploy monitoring devices: @@ -20,52 +26,60 @@ - \[f.\] Obtain legal opinion regarding system monitoring activities; and -- \[g.\] Provide \[si-4_prm_3 = organization-defined system monitoring information\] to \[si-4_prm_4 = organization-defined personnel or roles\] \[si-4_prm_5 = one-or-more \['as needed', ' \[si-4_prm_6 = organization-defined frequency\] '\]\]. +- \[g.\] Provide organization-defined system monitoring information to organization-defined personnel or roles as needed; {{ insert: param, si-4_prm_6 }} . + +## Control Control Guidance + +System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. + +Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17). The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b)). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. ______________________________________________________________________ -## si-4 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement si-4_smt.a +Add control implementation description here for item si-4_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement si-4_smt.b +Add control implementation description here for item si-4_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement si-4_smt.c +Add control implementation description here for item si-4_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement si-4_smt.d +Add control implementation description here for item si-4_smt.d ______________________________________________________________________ -### Part e. +## Implementation e. -Add control implementation description here for statement si-4_smt.e +Add control implementation description here for item si-4_smt.e ______________________________________________________________________ -### Part f. +## Implementation f. -Add control implementation description here for statement si-4_smt.f +Add control implementation description here for item si-4_smt.f ______________________________________________________________________ -### Part g. +## Implementation g. -Add control implementation description here for statement si-4_smt.g +Add control implementation description here for item si-4_smt.g ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/si/si-5.md b/ssp_author_demo/test_system/si/si-5.md index 38519f5..5953e42 100644 --- a/ssp_author_demo/test_system/si/si-5.md +++ b/ssp_author_demo/test_system/si/si-5.md @@ -1,38 +1,53 @@ -# si-5 - System and Information Integrity Security Alerts, Advisories, and Directives +--- +sort-id: si-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# si-5 - \[System and Information Integrity\] Security Alerts, Advisories, and Directives + +## Control Statement + +- \[a.\] Receive system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis; -- \[a.\] Receive system security alerts, advisories, and directives from \[si-5_prm_1 = organization-defined external organizations\] on an ongoing basis; - \[b.\] Generate internal security alerts, advisories, and directives as deemed necessary; -- \[c.\] Disseminate security alerts, advisories, and directives to: \[si-5_prm_2 = one-or-more \[' \[si-5_prm_3 = organization-defined personnel or roles\] ', ' \[si-5_prm_4 = organization-defined elements within the organization\] ', ' \[si-5_prm_5 = organization-defined external organizations\] '\]\]; and + +- \[c.\] Disseminate security alerts, advisories, and directives to: {{ insert: param, si-5_prm_3 }} ; {{ insert: param, si-5_prm_4 }} ; {{ insert: param, si-5_prm_5 }} ; and + - \[d.\] Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. +## Control Control Guidance + +The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations. + ______________________________________________________________________ -## si-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement si-5_smt.a +Add control implementation description here for item si-5_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement si-5_smt.b +Add control implementation description here for item si-5_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement si-5_smt.c +Add control implementation description here for item si-5_smt.c ______________________________________________________________________ -### Part d. +## Implementation d. -Add control implementation description here for statement si-5_smt.d +Add control implementation description here for item si-5_smt.d ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-1.md b/ssp_author_demo/test_system/sr/sr-1.md index e36e442..f492109 100644 --- a/ssp_author_demo/test_system/sr/sr-1.md +++ b/ssp_author_demo/test_system/sr/sr-1.md @@ -1,43 +1,55 @@ -# sr-1 - Supply Chain Risk Management Policy and Procedures +--- +sort-id: sr-01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-1 - \[Supply Chain Risk Management\] Policy and Procedures -- \[a.\] Develop, document, and disseminate to \[sr-1_prm_1 = organization-defined personnel or roles\]: +## Control Statement - - \[1.\] \[sr-1_prm_2 = one-or-more \['Organization-level', 'Mission/business process-level', 'System-level'\]\] supply chain risk management policy that: +- \[a.\] Develop, document, and disseminate to organization-defined personnel or roles: + + - \[1.\] Organization-level; Mission/business process-level; System-level supply chain risk management policy that: - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and - \[2.\] Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; -- \[b.\] Designate an \[sr-1_prm_3 = organization-defined official\] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and +- \[b.\] Designate an organization-defined official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and - \[c.\] Review and update the current supply chain risk management: - - \[1.\] Policy \[sr-1_prm_4 = organization-defined frequency\] and following \[sr-1_prm_5 = organization-defined events\]; and - - \[2.\] Procedures \[sr-1_prm_6 = organization-defined frequency\] and following \[sr-1_prm_7 = organization-defined events\]. + - \[1.\] Policy organization-defined frequency and following organization-defined events; and + - \[2.\] Procedures organization-defined frequency and following organization-defined events. + +## Control Control Guidance + +Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. ______________________________________________________________________ -## sr-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sr-1_smt.a +Add control implementation description here for item sr-1_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sr-1_smt.b +Add control implementation description here for item sr-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sr-1_smt.c +Add control implementation description here for item sr-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-10.md b/ssp_author_demo/test_system/sr/sr-10.md index 184bfb1..2e1c168 100644 --- a/ssp_author_demo/test_system/sr/sr-10.md +++ b/ssp_author_demo/test_system/sr/sr-10.md @@ -1,11 +1,23 @@ -# sr-10 - Supply Chain Risk Management Inspection of Systems or Components +--- +sort-id: sr-10 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-10 - \[Supply Chain Risk Management\] Inspection of Systems or Components -- Inspect the following systems or system components \[sr-10_prm_1 = one-or-more \['at random', 'at \[sr-10_prm_2 = organization-defined frequency\], upon \[sr-10_prm_3 = organization-defined indications of need for inspection\] '\]\] to detect tampering: \[sr-10_prm_4 = organization-defined systems or system components\]. +## Control Statement + +Inspect the following systems or system components at random; at {{ insert: param, sr-10_prm_2 }}, upon {{ insert: param, sr-10_prm_3 }} to detect tampering: organization-defined systems or system components. + +## Control Control Guidance + +The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations. ______________________________________________________________________ -## sr-10 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-10 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-11.1.md b/ssp_author_demo/test_system/sr/sr-11.1.md index 74657b8..d1cac2d 100644 --- a/ssp_author_demo/test_system/sr/sr-11.1.md +++ b/ssp_author_demo/test_system/sr/sr-11.1.md @@ -1,11 +1,23 @@ -# sr-11.1 - Supply Chain Risk Management Anti-counterfeit Training +--- +sort-id: sr-11.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-11.1 - \[Supply Chain Risk Management\] Anti-counterfeit Training -- Train \[sr-11.1_prm_1 = organization-defined personnel or roles\] to detect counterfeit system components (including hardware, software, and firmware). +## Control Statement + +Train organization-defined personnel or roles to detect counterfeit system components (including hardware, software, and firmware). + +## Control Control Guidance + +None. ______________________________________________________________________ -## sr-11.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-11.1 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-11.2.md b/ssp_author_demo/test_system/sr/sr-11.2.md index 5d023db..401962e 100644 --- a/ssp_author_demo/test_system/sr/sr-11.2.md +++ b/ssp_author_demo/test_system/sr/sr-11.2.md @@ -1,11 +1,23 @@ -# sr-11.2 - Supply Chain Risk Management Configuration Control for Component Service and Repair +--- +sort-id: sr-11.02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-11.2 - \[Supply Chain Risk Management\] Configuration Control for Component Service and Repair -- Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: \[sr-11.2_prm_1 = organization-defined system components\]. +## Control Statement + +Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: organization-defined system components. + +## Control Control Guidance + +None. ______________________________________________________________________ -## sr-11.2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-11.2 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-11.md b/ssp_author_demo/test_system/sr/sr-11.md index ea34c83..288df57 100644 --- a/ssp_author_demo/test_system/sr/sr-11.md +++ b/ssp_author_demo/test_system/sr/sr-11.md @@ -1,24 +1,37 @@ -# sr-11 - Supply Chain Risk Management Component Authenticity +--- +sort-id: sr-11 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-11 - \[Supply Chain Risk Management\] Component Authenticity + +## Control Statement - \[a.\] Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and -- \[b.\] Report counterfeit system components to \[sr-11_prm_1 = one-or-more \['source of counterfeit component', ' \[sr-11_prm_2 = organization-defined external reporting organizations\] ', ' \[sr-11_prm_3 = organization-defined personnel or roles\] '\]\]. + +- \[b.\] Report counterfeit system components to source of counterfeit component; {{ insert: param, sr-11_prm_2 }} ; {{ insert: param, sr-11_prm_3 }} . + +## Control Control Guidance + +Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA. ______________________________________________________________________ -## sr-11 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sr-11_smt.a +Add control implementation description here for item sr-11_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sr-11_smt.b +Add control implementation description here for item sr-11_smt.b ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-12.md b/ssp_author_demo/test_system/sr/sr-12.md index 9c10d0c..2a335cc 100644 --- a/ssp_author_demo/test_system/sr/sr-12.md +++ b/ssp_author_demo/test_system/sr/sr-12.md @@ -1,11 +1,23 @@ -# sr-12 - Supply Chain Risk Management Component Disposal +--- +sort-id: sr-12 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-12 - \[Supply Chain Risk Management\] Component Disposal -- Dispose of \[sr-12_prm_1 = organization-defined data, documentation, tools, or system components\] using the following techniques and methods: \[sr-12_prm_2 = organization-defined techniques and methods\]. +## Control Statement + +Dispose of organization-defined data, documentation, tools, or system components using the following techniques and methods: organization-defined techniques and methods. + +## Control Control Guidance + +Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market. ______________________________________________________________________ -## sr-12 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-12 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-2.1.md b/ssp_author_demo/test_system/sr/sr-2.1.md index 7af97e6..ad35c8c 100644 --- a/ssp_author_demo/test_system/sr/sr-2.1.md +++ b/ssp_author_demo/test_system/sr/sr-2.1.md @@ -1,11 +1,23 @@ -# sr-2.1 - Supply Chain Risk Management Establish Scrm Team +--- +sort-id: sr-02.01 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-2.1 - \[Supply Chain Risk Management\] Establish Scrm Team -- Establish a supply chain risk management team consisting of \[sr-2.1_prm_1 = organization-defined personnel, roles, and responsibilities\] to lead and support the following SCRM activities: \[sr-2.1_prm_2 = organization-defined supply chain risk management activities\]. +## Control Statement + +Establish a supply chain risk management team consisting of organization-defined personnel, roles, and responsibilities to lead and support the following SCRM activities: organization-defined supply chain risk management activities. + +## Control Control Guidance + +To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team. ______________________________________________________________________ -## sr-2.1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-2.1 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-2.md b/ssp_author_demo/test_system/sr/sr-2.md index dbb1bd7..a6cb608 100644 --- a/ssp_author_demo/test_system/sr/sr-2.md +++ b/ssp_author_demo/test_system/sr/sr-2.md @@ -1,31 +1,47 @@ -# sr-2 - Supply Chain Risk Management Supply Chain Risk Management Plan +--- +sort-id: sr-02 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-2 - \[Supply Chain Risk Management\] Supply Chain Risk Management Plan + +## Control Statement + +- \[a.\] Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: organization-defined systems, system components, or system services; + +- \[b.\] Review and update the supply chain risk management plan organization-defined frequency or as required, to address threat, organizational or environmental changes; and -- \[a.\] Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: \[sr-2_prm_1 = organization-defined systems, system components, or system services\]; -- \[b.\] Review and update the supply chain risk management plan \[sr-2_prm_2 = organization-defined frequency\] or as required, to address threat, organizational or environmental changes; and - \[c.\] Protect the supply chain risk management plan from unauthorized disclosure and modification. +## Control Control Guidance + +The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions. + +Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8)). + ______________________________________________________________________ -## sr-2 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sr-2_smt.a +Add control implementation description here for item sr-2_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sr-2_smt.b +Add control implementation description here for item sr-2_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sr-2_smt.c +Add control implementation description here for item sr-2_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-3.md b/ssp_author_demo/test_system/sr/sr-3.md index 532a1e3..6436e80 100644 --- a/ssp_author_demo/test_system/sr/sr-3.md +++ b/ssp_author_demo/test_system/sr/sr-3.md @@ -1,31 +1,45 @@ -# sr-3 - Supply Chain Risk Management Supply Chain Controls and Processes +--- +sort-id: sr-03 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-3 - \[Supply Chain Risk Management\] Supply Chain Controls and Processes -- \[a.\] Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of \[sr-3_prm_1 = organization-defined system or system component\] in coordination with \[sr-3_prm_2 = organization-defined supply chain personnel\]; -- \[b.\] Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: \[sr-3_prm_3 = organization-defined supply chain controls\]; and -- \[c.\] Document the selected and implemented supply chain processes and controls in \[sr-3_prm_4 = \['security and privacy plans', 'supply chain risk management plan', ' \[sr-3_prm_5 = organization-defined document\] '\]\]. +## Control Statement + +- \[a.\] Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of organization-defined system or system component in coordination with organization-defined supply chain personnel; + +- \[b.\] Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: organization-defined supply chain controls; and + +- \[c.\] Document the selected and implemented supply chain processes and controls in security and privacy plans; supply chain risk management plan; {{ insert: param, sr-3_prm_5 }} . + +## Control Control Guidance + +Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain. ______________________________________________________________________ -## sr-3 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. -Add control implementation description here for statement sr-3_smt.a +Add control implementation description here for item sr-3_smt.a ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement sr-3_smt.b +Add control implementation description here for item sr-3_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement sr-3_smt.c +Add control implementation description here for item sr-3_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-5.md b/ssp_author_demo/test_system/sr/sr-5.md index d76fcd2..61f1a51 100644 --- a/ssp_author_demo/test_system/sr/sr-5.md +++ b/ssp_author_demo/test_system/sr/sr-5.md @@ -1,11 +1,23 @@ -# sr-5 - Supply Chain Risk Management Acquisition Strategies, Tools, and Methods +--- +sort-id: sr-05 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-5 - \[Supply Chain Risk Management\] Acquisition Strategies, Tools, and Methods -- Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: \[sr-5_prm_1 = organization-defined acquisition strategies, contract tools, and procurement methods\]. +## Control Statement + +Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: organization-defined acquisition strategies, contract tools, and procurement methods. + +## Control Control Guidance + +The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements. ______________________________________________________________________ -## sr-5 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-5 ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/sr/sr-8.md b/ssp_author_demo/test_system/sr/sr-8.md index 0691688..73ef170 100644 --- a/ssp_author_demo/test_system/sr/sr-8.md +++ b/ssp_author_demo/test_system/sr/sr-8.md @@ -1,11 +1,23 @@ -# sr-8 - Supply Chain Risk Management Notification Agreements +--- +sort-id: sr-08 +x-trestle-sections: + guidance: Control Guidance +--- -## Control Description +# sr-8 - \[Supply Chain Risk Management\] Notification Agreements -- Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the \[sr-8_prm_1 = one-or-more \['notification of supply chain compromises', 'results of assessments or audits', ' \[sr-8_prm_2 = organization-defined information\] '\]\]. +## Control Statement + +Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises; results of assessments or audits; {{ insert: param, sr-8_prm_2 }} . + +## Control Control Guidance + +The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes. ______________________________________________________________________ -## sr-8 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + +Add control implementation description here for control sr-8 ______________________________________________________________________ diff --git a/trestle_flask_api/README.md b/trestle_flask_api/README.md index 11630b5..7389b2b 100644 --- a/trestle_flask_api/README.md +++ b/trestle_flask_api/README.md @@ -4,6 +4,8 @@ Simple example of using trestle to facilitate building a flask API. It exposes o This demo is a work in progress and will be expanded as appropriate. +This demo requires trestle version 1.0.x + ## Running the demo Use `make develop` to install the appropriate packages into your environment. diff --git a/trestle_flask_api/setup.cfg b/trestle_flask_api/setup.cfg index d9e4519..4754c5c 100644 --- a/trestle_flask_api/setup.cfg +++ b/trestle_flask_api/setup.cfg @@ -1,5 +1,5 @@ [metadata] -name = compliance-trestle-flaks-demo +name = compliance-trestle-flask-demo version = 0.0.1 description = Demo API wrapping pydanitc using flask. author = Chris Butler diff --git a/trestle_k8s/README.md b/trestle_k8s/README.md index 02beabe..e1763ab 100644 --- a/trestle_k8s/README.md +++ b/trestle_k8s/README.md @@ -4,6 +4,8 @@ This demo showcases using *k8s-to-oscal.py* (built utilizing trestle functionality) to consume YAML results files and produce (partial) OSCAL assessment results. +This demo is based on OSCAL 1.0.2 and requires trestle 1.0.x for support of AssessmentResults. + A [spreadsheet](https://github.com/IBM/compliance-trestle-demos/blob/fixk8s-to-oscal-links/trestle_k8s/Kubernetes-Yaml-to-OSCAL-Mapping.xlsx) shows the mapping from YAML to OSCAL. Sample inputs can be found [here](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/samples). Sample outputs can be found [here](https://github.com/IBM/compliance-trestle-demos/tree/fixk8s-to-oscal-links/trestle_k8s/oscal-samples). @@ -61,4 +63,3 @@ List the output files. > ls oscal sample-cis-k8s.json sample-co.json sample-falco-policy.json sample-rhacm-policy.json ``` - diff --git a/trestle_k8s/k8s-to-oscal.py b/trestle_k8s/k8s-to-oscal.py index 5bf8266..c283810 100644 --- a/trestle_k8s/k8s-to-oscal.py +++ b/trestle_k8s/k8s-to-oscal.py @@ -228,7 +228,7 @@ def _get_result(self, yaml_data: Dict) -> Result: start=_timestamp, reviewed_controls=self._reviewed_controls(), ) - result.prop = self._get_result_properties(yaml_data) + result.props = self._get_result_properties(yaml_data) result.local_definitions = self._get_local_definitions(yaml_data) subjects = self._get_subjects(result.local_definitions) result.observations = self._get_result_observations(yaml_data, subjects) diff --git a/trestle_repo_api_examples/README.md b/trestle_repo_api_examples/README.md index b342356..7fd69c9 100644 --- a/trestle_repo_api_examples/README.md +++ b/trestle_repo_api_examples/README.md @@ -8,7 +8,7 @@ A trestle workspace (repository) has been initialized in .`/trestle-workspace` d The `repo-examples.py` will first create a Repository object by passing the trestle workspace as input and then read the included NIST 800-53 catalog json file into a catalog object, then import it into repository and perform various operations on it using the repository API. -To run the demo, execute the folloiwng command: +To run the demo, execute the following command: ``` python3 repo-examples.py diff --git a/trestle_repo_api_examples/repo-examples.py b/trestle_repo_api_examples/repo-examples.py index becd00a..2065dea 100644 --- a/trestle_repo_api_examples/repo-examples.py +++ b/trestle_repo_api_examples/repo-examples.py @@ -19,8 +19,8 @@ import pathlib import sys -import trestle.core.parser as parser import trestle.oscal as oscal +from trestle.core.remote.cache import FetcherFactory from trestle.core.repository import Repository logger = logging.getLogger(__name__) @@ -40,7 +40,8 @@ def demo(): logger.info('') logger.info('2. Parse an existing OSCAL catalog file into OSCAL model object') filepath = pathlib.Path('./NIST_SP-800-53_rev4_catalog.json') - model = parser.parse_file(filepath, None) + fetcher = FetcherFactory.get_fetcher(repo.root_dir, str(filepath)) + model, _ = fetcher.get_oscal() logger.info('File successfully parsed') logger.info('') diff --git a/trestle_sdk_examples/README.md b/trestle_sdk_examples/README.md index 5f3dbf5..7db71ca 100644 --- a/trestle_sdk_examples/README.md +++ b/trestle_sdk_examples/README.md @@ -4,4 +4,4 @@ A container for a set of simpler examples of using the trestle sdk. ## Creating a catalog -Running `./create_a_catalog.py` will first try and fail to create a catalog (by failing to provide required attributes), then create a catalog, followed by writing it out to disk. +Running `python create_a_catalog.py` will first try and fail to create a catalog (by failing to provide required attributes), then create a catalog, followed by writing it out to disk. diff --git a/trestle_task_osco_to_oscal/README.md b/trestle_task_osco_to_oscal/README.md index 68451da..48aef7c 100644 --- a/trestle_task_osco_to_oscal/README.md +++ b/trestle_task_osco_to_oscal/README.md @@ -29,7 +29,7 @@ Running the demo > cd > cd git/compliance-trestle-demos/trestle_task_osco_to_oscal > trestle init -> trestle task osco-to-oscal -c ./demo-osco-to-oscal.config +> trestle task osco-result-to-oscal-ar -c ./demo-osco-to-oscal.config output: osco/runtime/ssg-ocp4-ds-cis-111.222.333.444-pod.oscal.json inventory: 1 @@ -45,28 +45,21 @@ Viewing the result { "results": [ { - "uuid": "5a69ce39-9ec9-4ded-8556-2c94a5b4e554", + "uuid": "d86fdc41-885a-419b-a4f3-1cd3e98167bc", "title": "OpenShift Compliance Operator", "description": "OpenShift Compliance Operator Scan Results", - "start": "2021-09-09T19:18:09.000+00:00", - "end": "2021-09-09T19:18:09.000+00:00", - "local-definitions": { - "components": [ - { - "uuid": "1690228d-860d-4fa0-a43b-c95f2f53410e", - "type": "Service", - "title": "Red Hat OpenShift Kubernetes Service Compliance Operator for ocp4", - "description": "Red Hat OpenShift Kubernetes Service Compliance Operator for ocp4", - "status": { - "state": "operational" - } - } - ], - "inventory-items": [ - { - "uuid": "d4dff670-fe5e-4324-94aa-c1fffdef17c5", - "description": "inventory", - "props": [ - + "start": "2022-04-28T02:44:41+00:00", + "end": "2022-04-28T02:44:41+00:00", + "props": [ + { + "name": "scanner_name", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/osco", + "value": "OpenSCAP" + }, + { + "name": "scanner_version", + "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/osco", + "value": "1.3.3" + }, ... ``` diff --git a/trestle_task_osco_to_oscal/demo-osco-to-oscal.config b/trestle_task_osco_to_oscal/demo-osco-to-oscal.config index 2223b72..7399662 100644 --- a/trestle_task_osco_to_oscal/demo-osco-to-oscal.config +++ b/trestle_task_osco_to_oscal/demo-osco-to-oscal.config @@ -1,4 +1,4 @@ -[task.osco-to-oscal] +[task.osco-result-to-oscal-ar] input-dir = osco/input output-dir = osco/runtime diff --git a/trestle_task_spread_sheet_to_component_definition/README.md b/trestle_task_spread_sheet_to_component_definition/README.md index 2b21900..fc8eb8b 100644 --- a/trestle_task_spread_sheet_to_component_definition/README.md +++ b/trestle_task_spread_sheet_to_component_definition/README.md @@ -6,57 +6,64 @@ Simple example of using trestle to facilitate building an OSCAL component-defini Download this repo - > cd - > mkdir git - > cd git - > git clone https://github.com/IBM/compliance-trestle-demos - +``` +> cd +> mkdir git +> cd git +> git clone https://github.com/IBM/compliance-trestle-demos +``` + Install compliance trestle, ideally in a python virtual environment. - > cd - > python -m venv venv.compliance-trestle-demos - > source venv.compliance-trestle-demos/bin/activate - > cd git/compliance-trestle-demos - > make install +``` +> cd +> python -m venv venv.compliance-trestle-demos +> source venv.compliance-trestle-demos/bin/activate +> cd git/compliance-trestle-demos +> make install +``` Running the demo - > cd - > cd git/compliance-trestle-demos/trestle_task_spread_sheet_to_component_definition - > trestle task xlsx-to-oscal-component-definition -c ./demo-xlsx-to-component-definition.config - - catalog: trestle-workspace/catalogs/nist-sp-800-53-rev4/catalog.json - input: demo.xlsx - row 5 col AS missing value - row 8 control cm-8_3 edited to remove parentheses - row=9 edited source_code_scaning_vulnerability_threashhold to remove whitespace - row 9 control cm-8_3 edited to remove parentheses - row=11 edited source_code_scaning_vulnerability_threashhold to remove whitespace - row 11 control zz-1 not found in catalog - output: trestle-workspace/component-definitions/component-definition.json - rows missing goal_name_id: [2] - rows missing controls: [10] - rows missing parameters: [2, 7, 8] - rows missing parameters values: [5] - output: trestle-workspace/catalogs/catalog.json - Task: xlsx-to-oscal-component-definition executed successfully. +``` +> cd +> cd git/compliance-trestle-demos/trestle_task_spread_sheet_to_component_definition +> trestle task xlsx-to-oscal-cd -c ./demo-xlsx-to-component-definition.config + +catalog: trestle-workspace/catalogs/nist-sp-800-53-rev4/catalog.json +input: demo.xlsx +row 5 col AS missing value +row 8 control cm-8_3 edited to remove parentheses +row=9 edited source_code_scaning_vulnerability_threashhold to remove whitespace +row 9 control cm-8_3 edited to remove parentheses +row=11 edited source_code_scaning_vulnerability_threashhold to remove whitespace +row 11 control zz-1 not found in catalog +output: trestle-workspace/component-definitions/component-definition.json +rows missing goal_name_id: [2] +rows missing controls: [10] +rows missing parameters: [2, 7, 8] +rows missing parameters values: [5] +output: trestle-workspace/catalogs/catalog.json +Task: xlsx-to-oscal-component-definition executed successfully. +``` Viewing the result - > cat trestle-workspace/component-definitions/component-definition.json - - { - "component-definition": { - "uuid": "75c68a4b-9395-470d-9653-0ae99c93f558", - "metadata": { - "title": "Component definition for NIST Special Publication 800-53 Revision 4 profiles", - "last-modified": "2021-07-28T13:22:19.000+00:00", - "version": "0.20.0", - "oscal-version": "1.0.0", - "roles": [ - { - "id": "prepared-by", - "title": "Indicates the organization that created this content." - }, - ... - \ No newline at end of file +``` +> cat trestle-workspace/component-definitions/component-definition.json + +{ +"component-definition": { +"uuid": "75c68a4b-9395-470d-9653-0ae99c93f558", +"metadata": { + "title": "Component definition for NIST Special Publication 800-53 Revision 4 profiles", + "last-modified": "2021-07-28T13:22:19.000+00:00", + "version": "0.20.0", + "oscal-version": "1.0.0", + "roles": [ + { + "id": "prepared-by", + "title": "Indicates the organization that created this content." + }, + ... +``` diff --git a/trestle_task_spread_sheet_to_component_definition/demo-xlsx-to-component-definition.config b/trestle_task_spread_sheet_to_component_definition/demo-xlsx-to-component-definition.config index b40acd9..ab6dcc4 100644 --- a/trestle_task_spread_sheet_to_component_definition/demo-xlsx-to-component-definition.config +++ b/trestle_task_spread_sheet_to_component_definition/demo-xlsx-to-component-definition.config @@ -1,4 +1,4 @@ -[task.xlsx-to-oscal-component-definition] +[task.xlsx-to-oscal-cd] catalog-file = trestle-workspace/catalogs/nist-sp-800-53-rev4/catalog.json spread-sheet-file = demo.xlsx diff --git a/trestle_task_spread_sheet_to_component_definition/demo.xlsx b/trestle_task_spread_sheet_to_component_definition/demo.xlsx index 6b5f9c82c71599f59943ac50ab63f60020775b8d..5726cb2a8c8677209829e837726850d665c2b786 100644 GIT binary patch delta 4385 zcmZ8lcQo8v7aft&=8Znugdlo}VDv6TFF`Ow@1lzu@zY5p+K67Gj@~602GK>0M2qMW zy$lgTK6&r0x8D2iU+0{)?^*YrbJksZ-#m#8Nm5-6{Oi;pA|fIXkx#rqEh!A|`fmfp ziN^vw)f>|8zC+%21WVjQ@8Ix^)p+nWpQ)?5f|u>HT%A>K4Eb6B@hF5-=<~Ue5&x4l z|3I!-OTykkb@muiA`AQc@oD#lksd28;eHJadr|c zs3JKYhl!3jMb*OKTyGiuBM(4A$joMw2gEs$S9 z{W!R;1|gB++aHY1cp%XHH4x~kFOYvV1~qg|0D!Xa_IS?FNx_=#iuyuwDjS$Cqbrkf zbE9*4I{{)cG6yK!v|DYlxPsYVsexWff0(MHq{Cq7!KR^+)dEXwH_SZfZmGh3R|Qu6?zx~ ztj52QSpxD0hjPy+&OJ!e`({9*bfH*!OiH+l6@hDL^VWO^*9m#pxSnNP#NM$(MCupD zhVt3Xc4xyUJL`5orytvVq7lQlxm<#b4Uzlw-nLVp)vkIbEU3j_i^ zxhlec2lFZjsz1fgz5eHP)@KqaU;E2iC87CyVlN>az_~lC82Kdz=!sEL% z%(Q3&Z@a{VT`AZ1OVY($oW)~ZhTm$~7JPPTcW2WqC5e#KCw(tE?o#}2kA9CJiHE z$fS1;Za(&kvJ~20rOt4nw;D-Vk2vsqD4B?6fnM*>9)ecE^i?>rA1qpX$C_YD$}M=_ zNd&ko){jooRBQ>nWR}a3B&1Toy4b-u?0-NU3YV?%8Hk5tWKBOki$c5*CBE#Bhlzu_{Rx-6|X%_a+DH0&eWR3m-#L+q`9l-2S+r<+wwkZa?Qw{5~yXE zXVQD~j*qfoo9>8_TYi_47l4IY#zpvclyn!{8O(lcq(-59>z?1 zJKudkAb0C$9e@o}<3sPL7t9ei;u6z!fOy`LlJ`GH9tHBWai0B|1H)u2|> zZ|>6tAtMRUeOhq^55AuXSc{I2CS=&C#;SA9-%qNW4`UVq7z9$L|NkcyMNGjBWN3IV zt5WvuopV!54m%O%i{U_2t}d3nZQo{|O=rF!DR5LPN{slttJCoy@cv*0o^`m>O&8S* zVP4)NBX$p`{jFv$g9X(LFoLNpu%w)aZ9!iy#v*$2rUi%GcLVkz%=C9f22}o;g3$4& z@eYDL#6<=p@c@j5c_eC6a1^BjWTfoGvmMrvYN-xa-Ed?Gka&{W?u<;L92LlVtt;GO zrV`u6Y&b-eJ7H=)*3B}FQfZM>W*Zq|<|f8u73DI9vy~S-J#v4(QL-SF>6{&(uxt}h z^sK~`%ba>!KV$sv!pvl;I&`$I`q=d7#Yr<8O~AKL`iH`hteOGLb*lsbpq3~rP@o9P z=80w=R%^+V-5TnI2zOPnFYwMJ{){htlLO>GvM&{QR1j(?5l;||RqvmxDqOu|Ah(t4 z+cLr)xh#hlFdFem-M4U$DrJ!yS0`z1l~o)nM`qns5fE7R!t_kGcGTuY$I*s7#iBNSf1~&Gw8HKHmE} zwSLkhJf5JU5P6VED~3yY(OgZ^B4;P@vaDi|fD!)-XYJ!@>*4 z_m#S^)~&Qf&qreB;ZVJ^szNZ~+8Ddtv z{TD|yvjM{zk^EfSP1d0>ZPVI!B+Zq^R?5|t#;GJKy12RLP{XfzK655|qd;`u)ad&U zbm7pLUNE^?lkYC+>-&Z4H0U07RNube~?nUk_J8|Gi1( zXMFm$=`2Hlw;e@l8Y%j&Im8ypIz)o}*k7lRQt9Z_IRA5;U#y7#Q)>v0kgE9x-(YP( z<64oT`;JXWC8vHE*tmr%oq%rvt%=VeQjS=sr=|+G4uQ#}Dv4q>X*m>C*13X^4ioLz!jbmGuYS=J zDT+=$oz6jAJ}v%$*iy8}InOI!tx$6CHjR#GRV{H{dOsqMOh27qdq+5(pd!fu?(KYy z0NAJ#4|x;$Qv6i_-m+o;BQxYX9S0g?G5Bhua!U5g(uT`*{7moA!S-Nx*6a=z%7qrj z1}&5Q$qa9p>IMOGHasNRi8(P=DRsDG; zLxSvupvIJ=x9^Qb5e+WOUpI@$8-}pPwEfv6{<`gl4fwNhL4@08%wxV%A3wVf$w-9O zyJXFR2f_YzBuH!Wrt`N~%ova8#Z1qh#R^ZK;#(%=Ux>{@^;;+w^%aV71A+l#k_ zu9EIv6*NS0tNWw05sfE{1nBcywmOJ?t$bptkbrJ3?9k-)PrM!hZ_7@xE?Ia^BYKMIMP)v5cdF~f|APYwK1V3__wVZ6SbN2T7HjNdL^80mKy+woyKB$(8coz4aqnS)% zyxRMix`KmtlCgKvA$qeJ2pSHT&4J6|GGBJ+r

HEU8kjY=au{v!3!Tqck4P(4oNVsdY7d&~z-6&U+-1*qe%Vo+pT7Fb zI)eT%THdAGH5f3?wQwAviP#>j6@}{3M(Dq0Ggq82+t0q)P|pBS*^Op? z?-g9rF0CvuZ)P+UO}mNO-gNa2s^pR0=Hc%>`S#@Jn(8vF9AsMJgeB3HCKocG%2-F! zuDX!qH~%`5IQb<_5O5?Nv0Rd~|Ftvc*h%x&rL9_TE)x)wzLT6tJWSfOEJz$xHo&R( zebHrRl5J6j--D}Mgxk6Bv~vl2M!li@(_6hUVC`JTeZ$NNk=Je^t1Eam5SwJt+q0K@ zDLMW#RX{;W$WCqH75~e&(=Vonfh3rQHsi043r>#$^0K@4W9)=}StyxP75QUscNx|a zWQgmWGzG94I^yJh(}euk=KW(r5XhbF|7k*f2VL6V3d@v11p51P;2)ie%4QI{`8)D& z;YR*jtNpXOP`eB_|N2s(fHUB2q4?l8{&F?1+$59(oaxUDI{QBYC$4s}Uuj>4e|G;i z=1_%j?msdA<}%d(!5pKu;kTH7pXA>cq5BU;h5{vUgX2%oQIh#M@=9YGT@fRy|A74I OQ9d`=2`J&eqyGcCRRlW# delta 4212 zcmZu!2UHWxvQFr|*U($&z5akokrt|S0xC$af{29{nn-T}q=YI}1?dn7NN-Z5gCac; z6bJ$l1iA2g|99_u=j}N&yJybK?(FQInfcJlg?~|*=;ISG07ytk0JjlmrnOXzK!WQ9 zToA|uOEkS}94W;Rg0o8L&Tg7zlX|)#^mhb-I%u16RNDj9ZKNLoMk{9}`4wEf{t)IAlb--W8t6 zjKm^R<)SJXysIn-9DAC$D@YL<%8$(4)vF?5t(|dol2AZWk8d2Ib&i?7pX2u1F4{aX ze+BC|c@nmf2nQkcum&O>^{8DQK+v*d%N zL-&~^jQ_&BIN)%a8DErpA=9IA)|6_yaa0l~=Nx%@p9A~pY8999++>!43qPVm@aG)t zSAR{sXrBBx))pn=9yzPoFExBHes+mUu_r#Oth$%ZGmvO=|KT)H+hd)tzJvS8W9yLW zeO<((OLlh+ZAZE>32hAJ;xOn0bsDtLBCgz7=2`#iCxJ^_D$&Y=kKUwrTd6P42fneH z=o6Eu7QOX%1_A&}cmTjZPeSzPP2dxFk}!R3p+3I_78S-OO@$}q)m06gzh73RA1#e9 z6@GuNc;f~Zel-82woFOgV6iR#vz5GXr{4Ppm7|T2XTozOxxDml_$bZsAIkSJ`Ef>w#WUc;T{v;>5|_6pMHdcRzm+I$?>JG__BP+CRG4y}M7f zXyH9$G3rtN1(i^+>+_8>E;n5I@_>-e-S&OHi?{iLR3N$I5s2-Q=sExwLIJe9001E9 zDhU4s;LrW9gn;@B`~rf%KW2R)i5A|U)eafczdtKJ1sLZ2a7lsYcgKA{ldvw}+FXNP z=7NNs;7$UHwGr+hP86Q$7Ei9_!N1x2>sSR6s@M7s31UkDM+5b#lLydy`FsnZxD-g1 zzvBzbyh0mKf=-JP$0C=!6_;Sk8)TizWe>oOYkBrv-UrpcG?$>nO6ChjDN3(6=5`ez z&xXAWU14^sxs?jS{y(QiFbcAWK84lKrFF|5a#R>$dXX?)^l(5#!7@RLDAslC*Jfm7 zPvKHi@sb4iuO`-bU!R5t$m}15OLN1l;>3P!d#&GFbvhC_e-P_*!!|6@;I)vgp9Z;v z?i1caJfuPLEQzaW&a8D_ABIY6ebY3xmSTqPeu52VyU3V}Z59>Q$~zHFCgpNH%}Fe{ zwL7v}mlfr8eEt-~Ww7;`N#VgwXXN7=;)3kk_;G(pqcdH~3l6ra_UQNMd;lL-j)=VS zofnljBR9u*;{&oO&7Gt0D$D;;x;4iy-Q_>|(& zh5m$)vFy;->0)ikO{n#9dXCc>Ov@>`;JHT_B{;naAz~K(&oPl1?Y=$ zm7UFQPc#&Q)bOY1Cd}vp*SgbhFwnw0`c_S}<3j*KyV?3Zg;fgl?9{4=-R9Wc;n znHdNJt<^z?1z6H>rI+JD)EPMCd*4ElG5t*OCd$)OY5r`*H7|FSdf|<2l6^j0A7Qy^ zm(a7|+_i^pJKk$yxp*Z$0G`u}6#T5lX7?7AcdC^`b;)A()u? zS>&Wo>gakrEvlPlB)4(4x#bu(g;`RvKM&W7{Sp!(&w^iueJsLTch0>teQ#Pd3KBny z)V{#bvXW$g7d+szuCxoqJbVtCg5E6d@{IMLeHVRbUWz?!G7;(@9yuITTe7)P75^jH z)SMu*8=5~&(KWljrtmx5GE4r&JJ>G`tj+1M*t4$quG2S*_W;XP9G|yMc2<}vy5H^+ zHp5uuBrmE~52UT@)v5eWdbjzqt1{lGX<( z`})U7vFbQ-zx?g(9|M%+zrDzfn3pJO=}sW8EzjrJ8ZaHo9G8I?*kIq|a1og9!wRUc zE|G?F!IpO;L}ici7yoC~cnvSCKC~xdR_dc*nsu)vWJsnQmA+v!v*VFaRK|&+5>4nQ zdyrh=anBz2w6aX69dna0KCP*$Sg)k7)q>QgUQ(x&Mr028f?fiv_K?XM1T7X?AytKb z(CVw9HDelPqX?$=zpu%=MFPt%&fhTg>j7(!2}-4T6{Ar?wH)XD3-sdaAj8&yxjE*G z`+KXH1o4*_@Pb#1EV7!zynZBvYC>pf;rKez0VgJRj2-=Z&TYR+xQV9MDM~ z#6_Ry4LPnc6V8l)^S{;2yfS;ai@cQP4_1xZcrlF=`YN2PmA|LX>jE3%yxqc1D~(Jn z#??_ID|DKH<7^GWgMeF^n;%-K4}+pjF~(7=w49+#o8IJxp)Y&7NJ%Rjib)ec{EXLx zzVF-{#A@Qf&dj}i!U8<+;vQZnMGGDO%OL^)V1@DjON!Tt@p`aa(KEOmEei~)@4u!* z)3N{F_f)FMvV$_nZF3yE-Kq* zE-D3VF|gCdp#~0-w+!f4tuwL#l$-j9lGCZu-xm(&Ru!I%u|N37e3K-Onay|Z6TyxO z{7&nke7EJ^aKD#0mgnhv;b0E?D8JZiLCq{wZfx1|xi@M#(^%UgUC8L!YeSd$vK_Wu zrO{((kJj@zDipL-U#|P(ccRS_OVeU8@bra89#h86ZGZBw5bq2Zf($c+NwbxoCC}Nr zn1Tts)O|vj5$A!Th#MDMWXGf&=Mg*|YJX=E($G5n{$2dr7tYcYFVFK}#b`*&>>K$| zPBY_X8@om_uXX3YYcu6XqX9JCTCjVbs6zM zO*Cdfo>pMDmgxusY^%bsC7P&7IGo!x4 z>&M6{l4ZI489ivZUc{qP8y|oA%i?>VzRICLFg|zCd$8)GynSR)ptX$xfA24;l5xjH z9GruD`kg9dc23xL&%v+zol0a_Lv`)*3TuZX%(Z*A@e`VA1Jb(^16Os98WO8tlfD0b zVt_l>zFRLnED;8~^YY{fKWn!Mf7&9+WFKFwwMxs1(YBr$>jMgqUlZ_PfIpj%#MWCL zLQHe3$*o)yEz}e-wGV_(@AM>_>+J!ydA=*v4}cMIxuuB<=k07+A&vv8UNk)*2Xc~K z8tF>fq_7%lS}RQwKmNf0NVq?_hOn1Cunaz}gwDT)M^W0CL zmYH%6I~M_CXZqqcx(g?qaxtG)e)~`%J*b8v9k=nQ77o9y=6CYoLa31CzJoVjXo}FR zq>vFPZD?Ezbc;S`mQN$e|8n}6!z5z((034~(#;d!QElTYm|D)C>IrFQnN`w9xOodV z(o@$AX40!1ExV@9xfo3Fp+h%>BSg@@wF%R9JFTx-72d`md}2Bhg$K;4lpEs7Qsnki zUmM)8eVntgFmkKAcu-j}@?4RH-`M%4kY>{Dx>#5@T_3DK?YA(&p)t>uTO=hgJRqL1 zT8i3D{uI8s@oWfuqz*|<4o5kmpcQh2m~IAkQG>EC_2Z*&)J8?5kc24~rV(JEeFk5- zD+_A;4WMo~Lsp5*$eQD;kXkhb=&jl#(iV&GjZ;^Unk6#KLc}o4BHY9eL`C?JvFL!r z5mkuJ4*`?UBw(HTqr#-CV-~#DY;r9@-6mra!TYm_TUuW9`q|yJZZe2D5 zT%$(DEAqfbihwJ}iwwSp7r|1G9g=J z7xDND4$H|QO_Ye`g}L@j!cUyohf3VvnZ&p{1kqoVi$dAMmWSI)2UV;up5#O|;7_u| z`Pd#4>ops}Dv5q&4h*ZuE8nArPESVIlN6jNRs^rHRWKTEE4a$WN$BQ^?|JS*H~H_FE?EQGyr9GMCYvdt8u*?A)2o87U7=v|N>CKY)RlEfjR*BV8g z5ZD|FdSxsukH8xG)-y+W@rrrQHZ>D4pC3fH5`W=>84mD))7RbzdUpKiu&U|KBEe}t zHMO^O)3Pgkl-f}o_{w6Q?0%`U)_gS1tL?edsCfHLi-|oc#pW-Wb=A_1IDzK874*47 z;$aX7sC+n_P87!F)G|$OmnLIG`dx!b5_WHMC^-Pq8c7BN}A0Y(AEDm6SpNSXm`0>Y8hO>uhtKAJV_-*APO zO`h@^Wd9H7gFCUwkX%cyQ4l_>XW^dg z!ra%V{ddQ~@V`tB$lfLioX^A`=Zwk$bZH!8u$r2_|N9t93Z?}7Pu;h0FgfE GTIF9%>b@NS diff --git a/trestle_task_spread_sheet_to_component_definition/trestle-workspace/catalogs/catalog.json b/trestle_task_spread_sheet_to_component_definition/trestle-workspace/catalogs/catalog.json index 5472f5b..abdf154 100644 --- a/trestle_task_spread_sheet_to_component_definition/trestle-workspace/catalogs/catalog.json +++ b/trestle_task_spread_sheet_to_component_definition/trestle-workspace/catalogs/catalog.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "e5a4f808-ff84-4379-9f89-bfa4a6fc0f09", + "uuid": "a9960dd3-1e4e-464e-a2d5-e825b623d144", "metadata": { "title": "Component Parameters", - "last-modified": "2021-07-28T13:22:19.000+00:00", - "version": "0.20.0", + "last-modified": "2022-03-23T10:17:14+00:00", + "version": "0.35.0", "oscal-version": "1.0.0" }, "params": [ diff --git a/trestle_task_spread_sheet_to_component_definition/trestle-workspace/component-definitions/component-definition.json b/trestle_task_spread_sheet_to_component_definition/trestle-workspace/component-definitions/component-definition.json index d858e4d..0a1482b 100644 --- a/trestle_task_spread_sheet_to_component_definition/trestle-workspace/component-definitions/component-definition.json +++ b/trestle_task_spread_sheet_to_component_definition/trestle-workspace/component-definitions/component-definition.json @@ -1,11 +1,11 @@ { "component-definition": { - "uuid": "75c68a4b-9395-470d-9653-0ae99c93f558", + "uuid": "e758d759-8deb-4802-a947-1ff5ddcdcda0", "metadata": { "title": "Component definition for NIST Special Publication 800-53 Revision 4 profiles", - "last-modified": "2021-07-28T13:22:19.000+00:00", - "version": "0.20.0", - "oscal-version": "1.0.0", + "last-modified": "2022-04-28T03:10:43+00:00", + "version": "1.0.1", + "oscal-version": "1.0.2", "roles": [ { "id": "prepared-by", @@ -22,19 +22,19 @@ ], "parties": [ { - "uuid": "38cada78-a368-4cc1-8771-66f1f8ccd5ad", + "uuid": "cf5bff42-97a6-4100-8c26-9eb621c9e682", "type": "organization", "name": "International Business Machines", "remarks": "IBM" }, { - "uuid": "a733c127-9ebb-46cf-9721-00b5f5497dfa", + "uuid": "8f78022f-ffba-4071-932f-5eeb21c727fe", "type": "organization", "name": "Customer", "remarks": "organization to be customized at account creation only for their Component Definition" }, { - "uuid": "eaff49fd-268f-4111-a47a-7c76c0e78215", + "uuid": "6d90257e-4194-4d05-8b8f-0dd6bcaff52f", "type": "organization", "name": "ISV", "remarks": "organization to be customized at ISV subscription only for their Component Definition" @@ -44,95 +44,52 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, "components": [ { - "uuid": "cbbc3510-bd0f-413b-8059-8bc45c1f1648", + "uuid": "04a346f8-d032-4d58-b3d7-cfe91f19ad98", "type": "Service", - "title": "SYSTEM", - "description": "SYSTEM", + "title": "CLOUDANT", + "description": "CLOUDANT", "control-implementations": [ { - "uuid": "15ae6381-89ff-487c-b1b4-804c26f91d52", + "uuid": "902a7cc8-1e05-484d-a4e6-8a221edcd50a", "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "SYSTEM implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", - "implemented-requirements": [ + "description": "CLOUDANT implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.", + "set-parameters": [ { - "uuid": "1c5a0e52-ef81-48fe-9158-24b8b2c3d4c7", - "control-id": "cm-2", - "description": "cm-2", - "props": [ - { - "name": "goal_name_id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "3000036", - "class": "scc_goal_name_id", - "remarks": "Ensure the EU supported setting is enabled in account settings" - }, - { - "name": "goal_version", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "1.0", - "class": "scc_goal_version", - "remarks": "3000036" - } - ], - "responsible-roles": [ - { - "role-id": "prepared-by", - "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" - ] - }, - { - "role-id": "prepared-for", - "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" - ] - }, - { - "role-id": "content-approver", - "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" - ] - } + "param-id": "no_of_admins_for_cloudant_db", + "values": [ + "3" + ] + }, + { + "param-id": "no_of_service_id_admins_for_cloudant_db", + "values": [ + "3" ] } - ] - } - ] - }, - { - "uuid": "993fd731-66c4-40b2-bb4b-fbfda070c08e", - "type": "Service", - "title": "CLOUDANT", - "description": "CLOUDANT", - "control-implementations": [ - { - "uuid": "e10807d1-2531-47be-b574-6815f2100968", - "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "CLOUDANT implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", + ], "implemented-requirements": [ { - "uuid": "740185ed-a9e4-48ba-9e7f-f2fcab147a1e", + "uuid": "09cc0396-4798-4a5d-898a-8c0b94df16f2", "control-id": "ac-2", "description": "ac-2", "props": [ @@ -163,26 +120,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "520146cc-a3c6-4baa-b27c-64a55548531a", + "uuid": "c051898f-ea1a-4766-bca5-3cce11d4b54b", "control-id": "ac-3", "description": "ac-3", "props": [ @@ -213,26 +170,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "73690552-5712-4e86-8645-6475458cbb1f", + "uuid": "ae77fcfd-5efa-4780-9129-1b4b88176089", "control-id": "ac-5", "description": "ac-5", "props": [ @@ -263,26 +220,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "f319c316-3f3c-439f-a63b-b6a31b557e81", + "uuid": "0722e15d-e3e6-4788-a2a3-16c4a025deef", "control-id": "ac-6", "description": "ac-6", "props": [ @@ -313,33 +270,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] - } - ] - }, - { - "uuid": "17209916-bde1-44a2-890e-77d3f3026ac4", - "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "CLOUDANT implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", - "implemented-requirements": [ + }, { - "uuid": "fe9137b4-35b2-4469-9328-bdafeb0a4b2a", + "uuid": "051be9b1-dfce-413d-8cf7-c3b63a408e71", "control-id": "ac-2", "description": "ac-2", "props": [ @@ -370,26 +320,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "7b313fb1-424d-4fce-b4b6-365ed852992c", + "uuid": "1629383c-a753-4e5d-8aa5-4e6fa4a3c6ed", "control-id": "ac-3", "description": "ac-3", "props": [ @@ -420,26 +370,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "57cb4d07-d1a7-41d4-8b7d-6289eb4053f7", + "uuid": "bb4acf21-940e-44bb-95a2-4e5b7d8e22e6", "control-id": "ac-5", "description": "ac-5", "props": [ @@ -470,26 +420,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "6d14c2dc-0fc5-4ae7-8fde-9c746d6ef64b", + "uuid": "9a20e506-94b6-40b0-9de6-abd21edaf78c", "control-id": "ac-6", "description": "ac-6", "props": [ @@ -520,20 +470,20 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] @@ -543,18 +493,18 @@ ] }, { - "uuid": "6590f4cc-cf1e-48d0-99b3-bee36b18507b", + "uuid": "5c2cf2ef-7936-4d3e-bd8c-466be30305a9", "type": "Service", "title": "CIS", "description": "CIS", "control-implementations": [ { - "uuid": "85c03c42-d13f-4595-b6b4-4b0805e93070", + "uuid": "56512b09-f956-4069-91a8-474cb6e11813", "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "CIS implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", + "description": "CIS implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.", "implemented-requirements": [ { - "uuid": "23ffbdd2-de43-412a-b600-25b509308495", + "uuid": "444b5df8-cdf6-4f1d-9359-a5695448904b", "control-id": "ac-17.2", "description": "ac-17(2)", "props": [ @@ -577,26 +527,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "ce5bdd8d-cf8d-4b5b-8c7b-6479a451510c", + "uuid": "daed1ea6-034f-44fe-b8fe-7c0d880c48aa", "control-id": "sc-8", "description": "sc-8", "props": [ @@ -619,26 +569,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "12bb2d23-3825-4f55-a7aa-857af7a4bc1b", + "uuid": "bfecd906-34d7-44ab-97f8-35447bac595e", "control-id": "sc-8.1", "description": "sc-8(1)", "props": [ @@ -661,26 +611,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "ff78475f-5ba7-4a32-afec-e508b0e55c16", + "uuid": "a1c7dd27-2eba-475b-aa8a-cdfeb33bf316", "control-id": "sc-13", "description": "sc-13", "props": [ @@ -703,26 +653,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "3e8b9d82-1afe-41a7-818d-477208528f48", + "uuid": "49b23066-fcc7-4936-96ce-92e50b7865f0", "control-id": "sc-23", "description": "sc-23", "props": [ @@ -745,20 +695,20 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] @@ -768,18 +718,27 @@ ] }, { - "uuid": "a4df5e5f-16ec-4989-9766-cdd8b17e40a4", + "uuid": "87311f4a-6edf-4559-9ff8-801aeddca61b", "type": "Service", - "title": "IKS ", - "description": "IKS ", + "title": "IKS", + "description": "IKS", "control-implementations": [ { - "uuid": "5259ced8-40da-4070-9d01-8a98d34f1cf6", + "uuid": "6f93810b-de3c-4337-9fd5-a26bdc90b817", "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "IKS implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", + "description": "IKS implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.", + "set-parameters": [ + { + "param-id": "iks_ingress_tls_versions", + "values": [ + "1.2", + "1.3" + ] + } + ], "implemented-requirements": [ { - "uuid": "7d38e269-4107-49c0-a9ca-717062356932", + "uuid": "f143b57b-a5b5-4ecf-964c-25bf924a0f5f", "control-id": "ac-17.2", "description": "ac-17(2)", "props": [ @@ -810,26 +769,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "2376ed33-f600-42b7-88f2-e04872680ce2", + "uuid": "e1bfda08-1ec7-4446-98b7-0d981c45db07", "control-id": "sc-8", "description": "sc-8", "props": [ @@ -860,26 +819,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "86570177-c8c6-4760-a758-dc1d259b0772", + "uuid": "282577d1-d523-42be-9060-e438623cf39a", "control-id": "sc-8.1", "description": "sc-8(1)", "props": [ @@ -910,26 +869,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "7e4d90b1-b3d4-4a64-82d4-5ae4043478dc", + "uuid": "a9194b75-b2c4-40a2-bfad-3c60bec98c6c", "control-id": "sc-13", "description": "sc-13", "props": [ @@ -960,26 +919,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "c224f653-a525-4cb1-ba14-484f1062f8d9", + "uuid": "99cd3b0d-f296-4ff4-b38a-03b526bf7cc0", "control-id": "sc-23", "description": "sc-23", "props": [ @@ -1010,226 +969,210 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] - } - ] - } - ] - }, - { - "uuid": "cde1dd1c-ae34-49ac-9ecd-942fad70927b", - "type": "Service", - "title": "VPC", - "description": "VPC", - "control-implementations": [ - { - "uuid": "3064f2e1-40ef-4626-9a64-30e0534da6c4", - "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "VPC implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", - "implemented-requirements": [ + }, { - "uuid": "4e91d5be-eb9a-4194-83b1-746d54ac1162", - "control-id": "ac-4", - "description": "ac-4", + "uuid": "db454007-d19c-455a-be9e-2bb8e070a59f", + "control-id": "cm-2", + "description": "cm-2", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "vpc_no_inbound_ports_public", + "value": "kubernetes_service_latest_version", "class": "scc_goal_name_id", - "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" + "remarks": "Ensure Kubernetes Service version is up-to-date" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "vpc_no_inbound_ports_public" + "remarks": "kubernetes_service_latest_version" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "33632f3d-ee7d-472a-8433-edfd1a58f9d1", - "control-id": "cm-2", - "description": "cm-2", + "uuid": "3d910b1a-1167-404f-8a3d-c124f123f0f6", + "control-id": "cm-7", + "description": "cm-7", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "vpc_no_inbound_ports_public", + "value": "kubernetes_service_latest_version", "class": "scc_goal_name_id", - "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" + "remarks": "Ensure Kubernetes Service version is up-to-date" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "vpc_no_inbound_ports_public" + "remarks": "kubernetes_service_latest_version" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } + ], + "statements": [ + { + "statement-id": "cm-7", + "uuid": "f40ec95a-3f82-4ed0-ab9a-1ce70108a389", + "description": "IKS implements cm-7(a)" + } ] }, { - "uuid": "7829dc2b-0b78-4727-997c-bba65abd1edb", - "control-id": "sc-7", - "description": "sc-7", + "uuid": "3dfa39d6-8cfc-4fd5-9e07-fefc325ae82b", + "control-id": "cm-8.1", + "description": "cm-8(1)", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "vpc_no_inbound_ports_public", + "value": "kubernetes_service_latest_version", "class": "scc_goal_name_id", - "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" + "remarks": "Ensure Kubernetes Service version is up-to-date" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "vpc_no_inbound_ports_public" + "remarks": "kubernetes_service_latest_version" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "785818cc-5132-4571-a8c9-d60b3075e687", - "control-id": "sc-7.3", - "description": "sc-7(3)", + "uuid": "a127c544-094b-4a8f-afc8-6ca45e630604", + "control-id": "cm-8.3", + "description": "cm-8(3)", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "vpc_no_inbound_ports_public", + "value": "kubernetes_service_latest_version", "class": "scc_goal_name_id", - "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" + "remarks": "Ensure Kubernetes Service version is up-to-date" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "vpc_no_inbound_ports_public" + "remarks": "kubernetes_service_latest_version" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } + ], + "statements": [ + { + "statement-id": "cm-8_3", + "uuid": "ca799938-ebd7-4c1d-93f2-5fd7a67c1cad", + "description": "IKS implements cm-8(3)(a)" + } ] - } - ] - } - ] - }, - { - "uuid": "facd71a7-6e02-40fb-85cd-c0e2bec038a4", - "type": "Service", - "title": "IKS", - "description": "IKS", - "control-implementations": [ - { - "uuid": "4bd18df4-175a-4f45-9ae8-cc360dc54fd2", - "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "IKS implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", - "implemented-requirements": [ + }, { - "uuid": "1abeb2be-f913-41a2-af89-f27ba6bbb852", - "control-id": "cm-2", - "description": "cm-2", + "uuid": "20000087-b079-4fbf-a503-7b8f144fbe14", + "control-id": "sa-3", + "description": "sa-3", "props": [ { "name": "goal_name_id", @@ -1250,211 +1193,212 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } + ], + "statements": [ + { + "statement-id": "sa-3", + "uuid": "e2e7d523-1b54-4dde-92d8-c794b2bfb392", + "description": "IKS implements sa-3(a)" + } ] - }, + } + ] + } + ] + }, + { + "uuid": "17cd7500-5ed3-4892-80cd-32a47f959f60", + "type": "Service", + "title": "VPC", + "description": "VPC", + "control-implementations": [ + { + "uuid": "c888e371-873d-4f3c-96d1-ac0da9be1115", + "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", + "description": "VPC implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.", + "implemented-requirements": [ { - "uuid": "18c88413-b780-4be4-af8a-ac3b1167710f", - "control-id": "cm-7", - "description": "cm-7", + "uuid": "ac7675ba-f31d-4b55-acbf-7a0ac5718127", + "control-id": "ac-4", + "description": "ac-4", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "kubernetes_service_latest_version", + "value": "vpc_no_inbound_ports_public", "class": "scc_goal_name_id", - "remarks": "Ensure Kubernetes Service version is up-to-date" + "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "kubernetes_service_latest_version" + "remarks": "vpc_no_inbound_ports_public" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } - ], - "statements": [ - { - "statement-id": "cm-7", - "uuid": "6382b371-17e3-4283-88f9-2fbae8cac54a", - "description": "IKS implements cm-7(a)" - } ] }, { - "uuid": "654fb9ef-ce86-452e-98d1-8eb702d9bffb", - "control-id": "cm-8.1", - "description": "cm-8(1)", + "uuid": "90f9ade4-f3c6-411b-abd6-ffdbc31a265b", + "control-id": "cm-2", + "description": "cm-2", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "kubernetes_service_latest_version", + "value": "vpc_no_inbound_ports_public", "class": "scc_goal_name_id", - "remarks": "Ensure Kubernetes Service version is up-to-date" + "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "kubernetes_service_latest_version" + "remarks": "vpc_no_inbound_ports_public" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "9c5278ce-d61e-437c-be12-004d127c637d", - "control-id": "cm-8.3", - "description": "cm-8(3)", + "uuid": "32f210d6-9ac7-4324-80cc-b8769449f7dd", + "control-id": "sc-7", + "description": "sc-7", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "kubernetes_service_latest_version", + "value": "vpc_no_inbound_ports_public", "class": "scc_goal_name_id", - "remarks": "Ensure Kubernetes Service version is up-to-date" + "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "kubernetes_service_latest_version" + "remarks": "vpc_no_inbound_ports_public" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } - ], - "statements": [ - { - "statement-id": "cm-8_3", - "uuid": "3b98df0d-b0b0-42f3-a40d-4002d4858df0", - "description": "IKS implements cm-8(3)(a)" - } ] }, { - "uuid": "c7cbd14f-de0c-477a-9afb-364b114658fe", - "control-id": "sa-3", - "description": "sa-3", + "uuid": "c26919fd-08b4-408e-af6a-3957562da936", + "control-id": "sc-7.3", + "description": "sc-7(3)", "props": [ { "name": "goal_name_id", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", - "value": "kubernetes_service_latest_version", + "value": "vpc_no_inbound_ports_public", "class": "scc_goal_name_id", - "remarks": "Ensure Kubernetes Service version is up-to-date" + "remarks": "Ensure Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)" }, { "name": "goal_version", "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibm-cloud", "value": "1.0", "class": "scc_goal_version", - "remarks": "kubernetes_service_latest_version" + "remarks": "vpc_no_inbound_ports_public" } ], "responsible-roles": [ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } - ], - "statements": [ - { - "statement-id": "sa-3", - "uuid": "8953427b-d322-4ad4-a6b7-092955b99b8a", - "description": "IKS implements sa-3(a)" - } ] } ] @@ -1462,18 +1406,38 @@ ] }, { - "uuid": "2ad1fd24-004b-4f74-adfc-182243a1b7a0", + "uuid": "e5f655a7-f2eb-4f7e-b95f-62d2ea2a4c4d", "type": "Service", "title": "TOOLCHAIN", "description": "TOOLCHAIN", "control-implementations": [ { - "uuid": "0dd00a72-fa32-4866-8613-c369dff268c5", + "uuid": "cc83e4bf-e803-40ad-b76f-f41a73722e3d", "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "TOOLCHAIN implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", + "description": "TOOLCHAIN implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.", + "set-parameters": [ + { + "param-id": "source_code_scaning_vulnerability_threashhold", + "values": [ + "low", + "medium", + "high", + "critical" + ] + }, + { + "param-id": "source_code_scaning_vulnerability_threashhold", + "values": [ + "low", + "medium", + "high", + "critical" + ] + } + ], "implemented-requirements": [ { - "uuid": "619eff2d-b92a-4451-92ac-da883f918e3f", + "uuid": "5f0d363d-088f-4c7f-9b11-896e4ab8051a", "control-id": "cm-8.3", "description": "cm-8(3)", "props": [ @@ -1504,33 +1468,33 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ], "statements": [ { "statement-id": "cm-8_3", - "uuid": "d92fbd9a-13f3-4302-84df-a1902e8c632f", + "uuid": "524f3b5f-5497-40eb-b91e-0ed94992bc54", "description": "TOOLCHAIN implements cm-8(3)(a)" } ] }, { - "uuid": "990f5e20-efec-44e6-b94c-16e1098a5f76", + "uuid": "d4609894-91a0-4f3e-b269-0b28f0ead1a4", "control-id": "ra-5", "description": "ra-5", "props": [ @@ -1561,33 +1525,33 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ], "statements": [ { "statement-id": "ra-5", - "uuid": "f7e5753b-8a8c-438a-abf8-62778b8a6370", + "uuid": "f23ed392-7063-4071-8a87-fb3d35afb241", "description": "TOOLCHAIN implements ra-5(a)" } ] }, { - "uuid": "3467c2f9-3c8a-4def-a986-1206cfc24bf7", + "uuid": "2718132b-a136-4f8f-9aae-23c83b97a919", "control-id": "si-2.2", "description": "si-2(2)", "props": [ @@ -1618,26 +1582,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] }, { - "uuid": "f6f562cd-da1e-40ec-86da-c7b21d7d925e", + "uuid": "71a06526-0e28-4bca-8d89-101db8672c38", "control-id": "si-7.1", "description": "si-7(1)", "props": [ @@ -1668,33 +1632,26 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] - } - ] - }, - { - "uuid": "68ba53ce-ba46-448b-b2cf-7a3985fbc3e4", - "source": "https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", - "description": "TOOLCHAIN implemented controls for NIST Special Publication 800-53 Revision 4. It includes assessment asset configuration for CICD.\"", - "implemented-requirements": [ + }, { - "uuid": "24491dbc-4caf-4133-9f6a-63168f16472b", + "uuid": "25cd90d4-b813-4c65-8488-864e5badc263", "control-id": "zz-1", "description": "zz-1", "props": [ @@ -1725,20 +1682,20 @@ { "role-id": "prepared-by", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] }, { "role-id": "prepared-for", "party-uuids": [ - "a733c127-9ebb-46cf-9721-00b5f5497dfa", - "eaff49fd-268f-4111-a47a-7c76c0e78215" + "8f78022f-ffba-4071-932f-5eeb21c727fe", + "6d90257e-4194-4d05-8b8f-0dd6bcaff52f" ] }, { "role-id": "content-approver", "party-uuids": [ - "38cada78-a368-4cc1-8771-66f1f8ccd5ad" + "cf5bff42-97a6-4100-8c26-9eb621c9e682" ] } ] From 1b9a51b719927a08bdab31bb1ca07dcb62678e9c Mon Sep 17 00:00:00 2001 From: Frank Suits Date: Fri, 29 Apr 2022 12:56:23 +1000 Subject: [PATCH 2/2] removed duplicate control Signed-off-by: Frank Suits --- ssp_author_demo/README.md | 4 +- .../system-security-plan.json | 2798 ++++++++--------- ssp_author_demo/test_system/ac/ac-1.md | 24 +- ssp_author_demo/test_system/ac/ac-14.md | 4 +- ssp_author_demo/test_system/ac/ac-17.md | 4 +- ssp_author_demo/test_system/ac/ac-18.md | 4 +- ssp_author_demo/test_system/ac/ac-19.md | 4 +- ssp_author_demo/test_system/ac/ac-2.md | 4 +- ssp_author_demo/test_system/ac/ac-20.md | 4 +- ssp_author_demo/test_system/ac/ac-22.md | 4 +- ssp_author_demo/test_system/ac/ac-3.md | 4 +- ssp_author_demo/test_system/ac/ac-7.md | 4 +- ssp_author_demo/test_system/ac/ac-8.md | 4 +- ssp_author_demo/test_system/at/at-1.md | 4 +- ssp_author_demo/test_system/at/at-2.2.md | 4 +- ssp_author_demo/test_system/at/at-2.md | 4 +- ssp_author_demo/test_system/at/at-3.md | 4 +- ssp_author_demo/test_system/at/at-4.md | 4 +- ssp_author_demo/test_system/au/au-1.md | 4 +- ssp_author_demo/test_system/au/au-11.md | 4 +- ssp_author_demo/test_system/au/au-12.md | 4 +- ssp_author_demo/test_system/au/au-2.md | 4 +- ssp_author_demo/test_system/au/au-3.md | 4 +- ssp_author_demo/test_system/au/au-4.md | 4 +- ssp_author_demo/test_system/au/au-5.md | 4 +- ssp_author_demo/test_system/au/au-6.md | 4 +- ssp_author_demo/test_system/au/au-8.md | 4 +- ssp_author_demo/test_system/au/au-9.md | 4 +- ssp_author_demo/test_system/ca/ca-1.md | 4 +- ssp_author_demo/test_system/ca/ca-2.md | 4 +- ssp_author_demo/test_system/ca/ca-3.md | 4 +- ssp_author_demo/test_system/ca/ca-5.md | 4 +- ssp_author_demo/test_system/ca/ca-6.md | 4 +- ssp_author_demo/test_system/ca/ca-7.4.md | 4 +- ssp_author_demo/test_system/ca/ca-7.md | 4 +- ssp_author_demo/test_system/ca/ca-9.md | 4 +- ssp_author_demo/test_system/cm/cm-1.md | 4 +- ssp_author_demo/test_system/cm/cm-10.md | 4 +- ssp_author_demo/test_system/cm/cm-11.md | 4 +- ssp_author_demo/test_system/cm/cm-2.md | 4 +- ssp_author_demo/test_system/cm/cm-4.md | 4 +- ssp_author_demo/test_system/cm/cm-5.md | 4 +- ssp_author_demo/test_system/cm/cm-6.md | 4 +- ssp_author_demo/test_system/cm/cm-7.md | 4 +- ssp_author_demo/test_system/cm/cm-8.md | 4 +- ssp_author_demo/test_system/cp/cp-1.md | 4 +- ssp_author_demo/test_system/cp/cp-10.md | 4 +- ssp_author_demo/test_system/cp/cp-2.md | 4 +- ssp_author_demo/test_system/cp/cp-3.md | 4 +- ssp_author_demo/test_system/cp/cp-4.md | 4 +- ssp_author_demo/test_system/cp/cp-9.md | 4 +- ssp_author_demo/test_system/ia/ia-1.md | 4 +- ssp_author_demo/test_system/ia/ia-11.md | 4 +- ssp_author_demo/test_system/ia/ia-2.1.md | 4 +- ssp_author_demo/test_system/ia/ia-2.12.md | 4 +- ssp_author_demo/test_system/ia/ia-2.2.md | 4 +- ssp_author_demo/test_system/ia/ia-2.8.md | 4 +- ssp_author_demo/test_system/ia/ia-2.md | 4 +- ssp_author_demo/test_system/ia/ia-4.md | 4 +- ssp_author_demo/test_system/ia/ia-5.1.md | 4 +- ssp_author_demo/test_system/ia/ia-5.md | 4 +- ssp_author_demo/test_system/ia/ia-6.md | 4 +- ssp_author_demo/test_system/ia/ia-7.md | 4 +- ssp_author_demo/test_system/ia/ia-8.1.md | 4 +- ssp_author_demo/test_system/ia/ia-8.2.md | 4 +- ssp_author_demo/test_system/ia/ia-8.4.md | 4 +- ssp_author_demo/test_system/ia/ia-8.md | 4 +- ssp_author_demo/test_system/ir/ir-1.md | 4 +- ssp_author_demo/test_system/ir/ir-2.md | 4 +- ssp_author_demo/test_system/ir/ir-4.md | 4 +- ssp_author_demo/test_system/ir/ir-5.md | 4 +- ssp_author_demo/test_system/ir/ir-6.md | 4 +- ssp_author_demo/test_system/ir/ir-7.md | 4 +- ssp_author_demo/test_system/ir/ir-8.md | 4 +- ssp_author_demo/test_system/ma/ma-1.md | 4 +- ssp_author_demo/test_system/ma/ma-2.md | 4 +- ssp_author_demo/test_system/ma/ma-4.md | 4 +- ssp_author_demo/test_system/ma/ma-5.md | 4 +- ssp_author_demo/test_system/mp/mp-1.md | 4 +- ssp_author_demo/test_system/mp/mp-2.md | 4 +- ssp_author_demo/test_system/mp/mp-6.md | 4 +- ssp_author_demo/test_system/mp/mp-7.md | 4 +- ssp_author_demo/test_system/pe/pe-1.md | 4 +- ssp_author_demo/test_system/pe/pe-12.md | 4 +- ssp_author_demo/test_system/pe/pe-13.md | 4 +- ssp_author_demo/test_system/pe/pe-14.md | 4 +- ssp_author_demo/test_system/pe/pe-15.md | 4 +- ssp_author_demo/test_system/pe/pe-16.md | 4 +- ssp_author_demo/test_system/pe/pe-2.md | 4 +- ssp_author_demo/test_system/pe/pe-3.md | 4 +- ssp_author_demo/test_system/pe/pe-6.md | 4 +- ssp_author_demo/test_system/pe/pe-8.md | 4 +- ssp_author_demo/test_system/pl/pl-1.md | 4 +- ssp_author_demo/test_system/pl/pl-10.md | 4 +- ssp_author_demo/test_system/pl/pl-11.md | 4 +- ssp_author_demo/test_system/pl/pl-2.md | 4 +- ssp_author_demo/test_system/pl/pl-4.1.md | 4 +- ssp_author_demo/test_system/pl/pl-4.md | 4 +- ssp_author_demo/test_system/ps/ps-1.md | 4 +- ssp_author_demo/test_system/ps/ps-2.md | 4 +- ssp_author_demo/test_system/ps/ps-3.md | 4 +- ssp_author_demo/test_system/ps/ps-4.md | 4 +- ssp_author_demo/test_system/ps/ps-5.md | 4 +- ssp_author_demo/test_system/ps/ps-6.md | 4 +- ssp_author_demo/test_system/ps/ps-7.md | 4 +- ssp_author_demo/test_system/ps/ps-8.md | 4 +- ssp_author_demo/test_system/ps/ps-9.md | 4 +- ssp_author_demo/test_system/ra/ra-1.md | 4 +- ssp_author_demo/test_system/ra/ra-2.md | 4 +- ssp_author_demo/test_system/ra/ra-3.1.md | 4 +- ssp_author_demo/test_system/ra/ra-3.md | 4 +- ssp_author_demo/test_system/ra/ra-5.11.md | 4 +- ssp_author_demo/test_system/ra/ra-5.2.md | 4 +- ssp_author_demo/test_system/ra/ra-5.md | 4 +- ssp_author_demo/test_system/ra/ra-7.md | 4 +- ssp_author_demo/test_system/sa/sa-1.md | 4 +- ssp_author_demo/test_system/sa/sa-2.md | 4 +- ssp_author_demo/test_system/sa/sa-22.md | 4 +- ssp_author_demo/test_system/sa/sa-3.md | 4 +- ssp_author_demo/test_system/sa/sa-4.10.md | 4 +- ssp_author_demo/test_system/sa/sa-4.md | 4 +- ssp_author_demo/test_system/sa/sa-5.md | 4 +- ssp_author_demo/test_system/sa/sa-8.md | 4 +- ssp_author_demo/test_system/sa/sa-9.md | 4 +- ssp_author_demo/test_system/sc/sc-1.md | 4 +- ssp_author_demo/test_system/sc/sc-12.md | 4 +- ssp_author_demo/test_system/sc/sc-13.md | 4 +- ssp_author_demo/test_system/sc/sc-15.md | 4 +- ssp_author_demo/test_system/sc/sc-20.md | 4 +- ssp_author_demo/test_system/sc/sc-21.md | 4 +- ssp_author_demo/test_system/sc/sc-22.md | 4 +- ssp_author_demo/test_system/sc/sc-39.md | 4 +- ssp_author_demo/test_system/sc/sc-5.md | 4 +- ssp_author_demo/test_system/sc/sc-7.md | 4 +- ssp_author_demo/test_system/si/si-1.md | 4 +- ssp_author_demo/test_system/si/si-12.md | 4 +- ssp_author_demo/test_system/si/si-2.md | 4 +- ssp_author_demo/test_system/si/si-3.md | 4 +- ssp_author_demo/test_system/si/si-4.md | 4 +- ssp_author_demo/test_system/si/si-5.md | 4 +- ssp_author_demo/test_system/sr/sr-1.md | 4 +- ssp_author_demo/test_system/sr/sr-10.md | 4 +- ssp_author_demo/test_system/sr/sr-11.1.md | 4 +- ssp_author_demo/test_system/sr/sr-11.2.md | 4 +- ssp_author_demo/test_system/sr/sr-11.md | 4 +- ssp_author_demo/test_system/sr/sr-12.md | 4 +- ssp_author_demo/test_system/sr/sr-2.1.md | 4 +- ssp_author_demo/test_system/sr/sr-2.md | 4 +- ssp_author_demo/test_system/sr/sr-3.md | 4 +- ssp_author_demo/test_system/sr/sr-5.md | 4 +- ssp_author_demo/test_system/sr/sr-8.md | 4 +- 151 files changed, 1712 insertions(+), 1706 deletions(-) diff --git a/ssp_author_demo/README.md b/ssp_author_demo/README.md index dde82eb..f77cad3 100644 --- a/ssp_author_demo/README.md +++ b/ssp_author_demo/README.md @@ -34,12 +34,12 @@ Profiles from NIST do not insert parameter values by default so the profile need - First the response documents must be generated using: - cd to the project root directory - - `trestle author ssp-generate -p 800-53-low --output test_system -s 'guidance:Control Guidance'` + - `trestle author ssp-generate -p 800-53-low --output test_system -s 'guidance:Guidance'` - `--output` puts the markdown directory tree into `./test_system` - `-s` maps named parts names to sections in catalog to the markdown document - Content for the implemented requirements can now be entered into the markdown for controls -### Creating the OSCAL catalog +### Creating the OSCAL System Security Plan - Run - `trestle author ssp-assemble -m test_system -o acme-test-system` diff --git a/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json b/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json index d2b8d05..10d4857 100644 --- a/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json +++ b/ssp_author_demo/system-security-plans/acme-test-system/system-security-plan.json @@ -1,9 +1,9 @@ { "system-security-plan": { - "uuid": "f4337ba4-a060-49dd-a4d1-2b0cee331225", + "uuid": "1c0ab8c3-d589-4966-be00-317c9f8f9ad7", "metadata": { "title": "REPLACE_ME", - "last-modified": "2022-04-28T12:26:33.922163+10:00", + "last-modified": "2022-04-29T12:54:07.360473+10:00", "version": "REPLACE_ME", "oscal-version": "1.0.2" }, @@ -51,12 +51,12 @@ "system-implementation": { "users": [ { - "uuid": "a2a57960-550c-4251-a8e7-cd5fbfdacc56" + "uuid": "92c8b668-4270-4c15-9ba5-b225fb017bbf" } ], "components": [ { - "uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", + "uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", "type": "REPLACE_ME", "title": "This System", "description": "REPLACE_ME", @@ -70,38 +70,38 @@ "description": "This is the control implementation for the system.", "implemented-requirements": [ { - "uuid": "fd0487cb-e477-4564-98c4-8216c934c81f", + "uuid": "acda3393-61f4-4a79-a30f-b97cf4461f20", "control-id": "ac-1", "statements": [ { "statement-id": "ac-1_smt.a", - "uuid": "5d38c470-1a1b-4714-93a5-790ea52203d1", + "uuid": "ddbe8b0b-a0e7-40cc-905d-a3f9385d8ca7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cc5d5cf8-fbe5-4e49-8256-e100915962d5", - "description": "Add control implementation description here for item ac-1_smt.a" + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c6e641b4-cb93-4712-a700-3ca6f3beff76", + "description": "ACME CISO is responsible for setting the organisation access control policies, and in The access control policies at a global level are reviewed on an annual cycle. ACME CISO also review access control policy whenever ACME legal and/or Compliance teams identify access control obligations." } ] }, { "statement-id": "ac-1_smt.b", - "uuid": "7c707396-ab90-41e1-b7bd-d61958b9819b", + "uuid": "688bc155-b30b-4ff9-9668-3df9e1756054", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4429be0b-f302-428f-92ec-abeb2c6cbf04", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "aa8b3464-4bae-40ad-b054-4478a7fc3942", "description": "Add control implementation description here for item ac-1_smt.b" } ] }, { "statement-id": "ac-1_smt.c", - "uuid": "219a3238-9a2b-4f10-8ab3-73b82b61cc32", + "uuid": "d0eabd80-410d-405f-9c7c-9e5efcdddf4d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "186df6d1-4c95-4214-9fa6-7770f18c6e2a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "76e0105e-9b86-43e1-aa7b-a19e3c0fbca3", "description": "Add control implementation description here for item ac-1_smt.c" } ] @@ -109,137 +109,137 @@ ] }, { - "uuid": "9b32e446-b641-4ff9-bffd-be69f5ffaa08", + "uuid": "681405ed-b226-47bc-bd01-d8c83f5f6946", "control-id": "ac-2", "statements": [ { "statement-id": "ac-2_smt.a", - "uuid": "374be88c-f979-434a-b5c5-d6937f042738", + "uuid": "4ac51535-df98-488e-a3e5-d105269eba20", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e821ae4f-b1df-4066-960c-a21ec45d3beb", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e1668943-493d-4660-aad2-f05dd760dadb", "description": "Add control implementation description here for item ac-2_smt.a" } ] }, { "statement-id": "ac-2_smt.b", - "uuid": "4572c47b-9125-4c8a-8f1f-b67b10ff3ed1", + "uuid": "10b9c12b-4492-4763-8a05-92c349aa9b28", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "12acffd9-9066-4628-ba1a-5c4bf48a5838", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ed0fd74b-f582-42fd-964a-1aa149d62c31", "description": "Add control implementation description here for item ac-2_smt.b" } ] }, { "statement-id": "ac-2_smt.c", - "uuid": "960919eb-1af9-4f19-b931-6b7f30204612", + "uuid": "6612f4a2-6eaa-4974-b109-a740dbfda87d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5e8ad8a7-6b20-4a16-b11d-43b8cb5f12f8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "32a23eba-e3ed-4610-9060-0cbb34b55154", "description": "Add control implementation description here for item ac-2_smt.c" } ] }, { "statement-id": "ac-2_smt.d", - "uuid": "cb5fb121-72cc-4739-acc1-8ab34b4f3878", + "uuid": "5e550d64-9e0e-49ba-af16-677018e6dd15", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c7cdf79e-5c80-4e5f-aee2-7a439cc0886b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2ce28b92-fad1-4592-a79b-f051d96ac600", "description": "Add control implementation description here for item ac-2_smt.d" } ] }, { "statement-id": "ac-2_smt.e", - "uuid": "a42f54bc-6221-4b93-96f0-f1bf2b09f616", + "uuid": "c992acce-c3bf-4762-b02b-6726c75386a2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "43c77165-8f0b-4936-ab0c-fded3b9c87c0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4b890016-d6e4-4e00-9018-cf64a6dbbfe3", "description": "Add control implementation description here for item ac-2_smt.e" } ] }, { "statement-id": "ac-2_smt.f", - "uuid": "c0f54800-c49b-46df-a1d4-117f6037beca", + "uuid": "632d4ff3-d5bf-4075-89aa-02cf2f0cd0f6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0ceba6da-f8c2-4106-9dec-328a21972240", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6edd579e-163d-4bde-bbbf-a0ee99be3d5a", "description": "Add control implementation description here for item ac-2_smt.f" } ] }, { "statement-id": "ac-2_smt.g", - "uuid": "3053cc78-ba8e-4ec5-8eef-69ca1e83a49a", + "uuid": "9c432246-56e3-4e8e-97c0-035cca730afe", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bc77f0f0-91a3-422e-957e-3153cd45acee", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e5770878-ea53-4474-95c4-22fbc0083ccb", "description": "Add control implementation description here for item ac-2_smt.g" } ] }, { "statement-id": "ac-2_smt.h", - "uuid": "022bd85a-121d-40c9-9a9d-636257865183", + "uuid": "ff7fafcf-b4ac-4d79-947f-041045657c68", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "18af1c95-9b05-4cdb-a4cb-44cfcb0ba676", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "03abb720-316d-4080-9f5f-052af2c026af", "description": "Add control implementation description here for item ac-2_smt.h" } ] }, { "statement-id": "ac-2_smt.i", - "uuid": "42f0c9f1-dff0-478c-b9be-ce76966b8090", + "uuid": "3de87fab-51eb-4a83-a645-940cd7845ff0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "281e9ed2-1e81-4882-9db1-c8292233e679", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7152bda2-5d8a-4e3d-a766-4cfd470ac294", "description": "Add control implementation description here for item ac-2_smt.i" } ] }, { "statement-id": "ac-2_smt.j", - "uuid": "93fd111f-2595-4ffc-bde5-d975483b02d8", + "uuid": "0d67acb9-9d7e-449c-a9a9-f04aa0c05521", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "608ee90a-1d33-44e8-b9ac-de18a2fe91a9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "727c302a-726f-4d18-99ce-70a95082dd41", "description": "Add control implementation description here for item ac-2_smt.j" } ] }, { "statement-id": "ac-2_smt.k", - "uuid": "a8b20cfe-bd52-4de4-aba1-aac299604c07", + "uuid": "1620126c-eac2-43a4-975f-977dbf19cde5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4a3592de-90ad-4baf-9beb-d128351cbf5a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8d5e86f4-3acf-44dc-a9fa-a23f4dcd405f", "description": "Add control implementation description here for item ac-2_smt.k" } ] }, { "statement-id": "ac-2_smt.l", - "uuid": "54dbf934-5a2c-477a-bde0-24ee3f740f27", + "uuid": "e98c5325-de67-48e2-a042-5b4715b7f90e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c6864a4e-f2d8-4af5-a5bc-2ea0c5a842b7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fc36e589-b467-41a1-b064-a85e508692b2", "description": "Add control implementation description here for item ac-2_smt.l" } ] @@ -247,16 +247,16 @@ ] }, { - "uuid": "59666390-6303-4372-b1a4-4761116eb93b", + "uuid": "5044d337-d364-462d-8368-976a13757ad0", "control-id": "ac-3", "statements": [ { "statement-id": "ac-3_smt", - "uuid": "3422287c-ce1d-4afe-896e-2a37515f63cb", + "uuid": "1ef5a663-86d1-46b9-a658-990defd1fc1b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c12e16e8-0564-4769-99fe-fd04413ceeca", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c5cae1f5-f8f1-4939-820a-dc4958189747", "description": "Add control implementation description here for control ac-3" } ] @@ -264,27 +264,27 @@ ] }, { - "uuid": "94459171-ac99-4a8e-a5dc-152a6305ec29", + "uuid": "97854476-bd42-40f4-a45a-c46e90d94b62", "control-id": "ac-7", "statements": [ { "statement-id": "ac-7_smt.a", - "uuid": "3757cbe8-e5ab-45e0-9f63-e1bea3e7e367", + "uuid": "2bd7a51d-a2d5-4f2e-94a6-1740d40a840c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "58a47c30-8544-4ff5-bd9f-6be6d1da92c1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cd9c1ae7-b2dc-4810-b263-50f4ba05700c", "description": "Add control implementation description here for item ac-7_smt.a" } ] }, { "statement-id": "ac-7_smt.b", - "uuid": "c31e1995-0dbb-4d56-a43d-1565c53907c4", + "uuid": "01f1694f-bd98-4269-9f02-e0c022b8821e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "44b21980-6879-415b-9290-9bcfb4dd1511", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "332c12b0-ddfd-45f2-9e27-4bb314648ffb", "description": "Add control implementation description here for item ac-7_smt.b" } ] @@ -292,38 +292,38 @@ ] }, { - "uuid": "653a2eda-d25d-4065-9c60-63194cc05eee", + "uuid": "1547d581-d8f7-4a9a-a077-273084c4cdc8", "control-id": "ac-8", "statements": [ { "statement-id": "ac-8_smt.a", - "uuid": "248da9c9-9a23-4682-8d0e-11f7a6c4cfa8", + "uuid": "3a871b5e-8ecc-41a5-b498-14d593c6ae5f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "886d9d11-4638-499b-8e95-8d82ce839f68", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6953bbdc-ecbc-4f90-bede-60fda1dfe01f", "description": "Add control implementation description here for item ac-8_smt.a" } ] }, { "statement-id": "ac-8_smt.b", - "uuid": "47bc59c7-b002-4c3f-bcb6-c1c3a3f4a3fd", + "uuid": "c83b983d-c7c3-48e0-98b3-ba8902693161", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "96ab5b6b-b0a3-43f9-93fc-f3c13cc18af0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b0c88ffe-0bbb-456c-8ecf-897d504dbb06", "description": "Add control implementation description here for item ac-8_smt.b" } ] }, { "statement-id": "ac-8_smt.c", - "uuid": "489424fb-47bd-425d-80cc-60e365ea5a37", + "uuid": "197e9dac-7c6d-4270-ab71-6ab6312a2939", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "16336970-6e3b-4dec-b64a-9c6f73f23649", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "59049872-450a-4459-9da8-80a109dcbd76", "description": "Add control implementation description here for item ac-8_smt.c" } ] @@ -331,27 +331,27 @@ ] }, { - "uuid": "4349a920-285a-4e8b-888c-ee3d297b324f", + "uuid": "591ea993-fead-4418-8f36-23e95b528764", "control-id": "ac-14", "statements": [ { "statement-id": "ac-14_smt.a", - "uuid": "23e732a6-884c-49e7-9296-8ad84edefc40", + "uuid": "16d28e1d-16b6-438b-add7-d1b50821ccc8", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "51bac606-2de2-48cc-bb9a-db68a9040850", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d1c0de57-4be7-4398-8ad3-88689043a572", "description": "Add control implementation description here for item ac-14_smt.a" } ] }, { "statement-id": "ac-14_smt.b", - "uuid": "39806464-21cd-46f2-beb6-0c68fed8f76c", + "uuid": "d8df05a2-6799-4320-8e94-b73806ec159c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dcc4a475-98bd-475a-9f06-b847d7acbf21", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "517d9d97-f5f5-4759-a8a4-2e9a0d6dee32", "description": "Add control implementation description here for item ac-14_smt.b" } ] @@ -359,27 +359,27 @@ ] }, { - "uuid": "d622754b-ad69-4382-866e-caecc1efb4cb", + "uuid": "905c1e28-487a-4764-89b7-2a81b7ed8a82", "control-id": "ac-17", "statements": [ { "statement-id": "ac-17_smt.a", - "uuid": "23b4fddc-7bd3-4d7d-beaa-55f0ef7c9973", + "uuid": "54db3b04-9e2e-430c-ac14-82f80e3b0866", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6848fd22-3838-497d-948d-676f8f514d55", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f0e715ac-3196-4bfc-af69-a5e8b7e99276", "description": "Add control implementation description here for item ac-17_smt.a" } ] }, { "statement-id": "ac-17_smt.b", - "uuid": "38d54880-000c-4203-b5c8-e81756a596d5", + "uuid": "e9a1c98a-cb08-48ef-bc8d-e02195c442e8", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bb66593d-fdee-425c-b624-5f9608b20933", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "01fd5203-b261-489e-aaad-ae593df71685", "description": "Add control implementation description here for item ac-17_smt.b" } ] @@ -387,27 +387,27 @@ ] }, { - "uuid": "db5fb7dc-1ad5-40dc-a651-e8ee72eb2f4e", + "uuid": "daeaa37c-ad8e-4460-8ea4-3f766c3bb21e", "control-id": "ac-18", "statements": [ { "statement-id": "ac-18_smt.a", - "uuid": "4aa87a8f-2654-4ec2-84a8-bd5a0fbcb89d", + "uuid": "25735b97-c7a5-4b9b-8feb-03be11a2633d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2a0815b2-e161-40dc-8614-819c83c9edef", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a1ac8f7b-27bc-4326-ab15-e1b397dbec51", "description": "Add control implementation description here for item ac-18_smt.a" } ] }, { "statement-id": "ac-18_smt.b", - "uuid": "9fc87752-c324-4de0-989e-5b741e4f7d26", + "uuid": "f07b3262-e85d-45ea-97da-b506c6868727", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e1b18452-a2a9-4f21-b11f-7e41db6cf406", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c5175825-1dab-4f89-a722-e6745619fa3e", "description": "Add control implementation description here for item ac-18_smt.b" } ] @@ -415,27 +415,27 @@ ] }, { - "uuid": "3e0c71bb-0dd0-427d-a2ad-bd2523c6eb24", + "uuid": "35229c2b-e907-49b4-bb87-e110bf6823d5", "control-id": "ac-19", "statements": [ { "statement-id": "ac-19_smt.a", - "uuid": "17e03628-2e04-42b1-a4a8-45c0f910b564", + "uuid": "f8ca8239-de34-4e80-b197-726eb0cea739", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c92bff8f-9793-428d-ac11-0218ca80c0ca", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5b3e3701-b71b-4d5c-8ea1-4ac981c6fc3a", "description": "Add control implementation description here for item ac-19_smt.a" } ] }, { "statement-id": "ac-19_smt.b", - "uuid": "5a8d92cc-73e1-48a1-8cac-5f84f5b9a1ca", + "uuid": "34578c1d-8507-4d12-9657-5e03e015a95b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "72539ca0-20d4-46b1-ae0a-e36611f30ab8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "20421ba2-6707-4387-9dfc-e3f15c917e7f", "description": "Add control implementation description here for item ac-19_smt.b" } ] @@ -443,27 +443,27 @@ ] }, { - "uuid": "b91bbc8c-0655-4e62-8c66-3635588487fb", + "uuid": "83dbdeac-0688-4b61-a14d-7c1b3ab1796a", "control-id": "ac-20", "statements": [ { "statement-id": "ac-20_smt.a", - "uuid": "b66f2fbd-5774-45b9-a79f-b84a69c395d1", + "uuid": "6413b7cd-0710-4b2c-b719-e420c63c581f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5e8c4ca4-c2bc-4f0e-a19b-76e03cd52641", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "da429d12-faac-4e09-ae49-97cd69ce714e", "description": "Add control implementation description here for item ac-20_smt.a" } ] }, { "statement-id": "ac-20_smt.b", - "uuid": "f4f78566-d742-4233-9048-4cd051449ac5", + "uuid": "275f1f80-d05c-4f2a-87cd-d0f1073b65c5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "71f350a0-e23d-461b-b861-4b6d40c8831e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9f7118b7-9879-4f7d-9d4f-644a66872e60", "description": "Add control implementation description here for item ac-20_smt.b" } ] @@ -471,49 +471,49 @@ ] }, { - "uuid": "f46803ad-96a2-44c6-acd4-3023a565c55e", + "uuid": "b1af7ec8-9f68-4479-877b-9cd1f5d4a83d", "control-id": "ac-22", "statements": [ { "statement-id": "ac-22_smt.a", - "uuid": "53672918-a0ee-4d05-af6b-b736f315a33c", + "uuid": "bc4e496b-8a0c-4e5d-81ec-ff5d9e5b9586", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "27dacd8a-b322-41ad-b0a3-50eb55098033", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "26a93e4d-90e7-4307-8796-1e389451e349", "description": "Add control implementation description here for item ac-22_smt.a" } ] }, { "statement-id": "ac-22_smt.b", - "uuid": "a4e1a61c-b2d8-437f-a10f-1dbd27ec4eb5", + "uuid": "07400a3e-ffa1-4ef5-b4c0-b1e46e021dca", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c43e13b5-4fce-4423-8a39-bb485700bb44", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a8825161-4a2e-423f-9fbf-e4f0f8b10728", "description": "Add control implementation description here for item ac-22_smt.b" } ] }, { "statement-id": "ac-22_smt.c", - "uuid": "8c3a71df-84d0-4293-8d7f-e95442814dd0", + "uuid": "3c350148-36b5-4891-8c69-673837c159ea", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1829b46f-508f-47c1-b628-2be54a530e9d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "86345ff2-c534-42ef-a2d5-5de3a6b3b2aa", "description": "Add control implementation description here for item ac-22_smt.c" } ] }, { "statement-id": "ac-22_smt.d", - "uuid": "322f88e2-02a0-4622-9f20-efe53d25eb90", + "uuid": "ee9144cd-7bd7-456f-b4df-c87bf47e9084", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1432de64-7b57-466c-8408-3acc226db27e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c5fac33b-d683-4856-b7c3-bda7b51978ea", "description": "Add control implementation description here for item ac-22_smt.d" } ] @@ -521,38 +521,38 @@ ] }, { - "uuid": "11f739f7-82a2-420d-8767-f2d7fe0ceb9e", + "uuid": "903e5f22-6811-4a8f-9421-1e61e91b6429", "control-id": "at-1", "statements": [ { "statement-id": "at-1_smt.a", - "uuid": "0d4b9fb2-9301-41e8-b67d-4c97e3e10a29", + "uuid": "0f0fafc0-f414-4c11-97a1-2ad41e500411", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8e1c1135-c20b-4ec6-a3d2-d97745079b78", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ceaac3e0-182a-4d6b-99ed-2121a0959438", "description": "Add control implementation description here for item at-1_smt.a" } ] }, { "statement-id": "at-1_smt.b", - "uuid": "40d49a19-6a5b-410b-a0a4-06d14c412864", + "uuid": "daa41b35-fcf7-4e1e-ad98-ae3736a099db", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "369957f3-b5c6-4160-8c76-fd9387a78fc9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c38f5419-0c67-43f2-bca6-59ad2fc55117", "description": "Add control implementation description here for item at-1_smt.b" } ] }, { "statement-id": "at-1_smt.c", - "uuid": "2de41d77-0631-47c1-9f2c-3451e7862cfe", + "uuid": "d9923b6c-8cc3-4806-8c67-048199c7b6b0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "eb47fe43-13b4-4ac9-9489-ad65cd8722d2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "41903b93-e386-492e-903b-c77f4d1e5c41", "description": "Add control implementation description here for item at-1_smt.c" } ] @@ -560,49 +560,49 @@ ] }, { - "uuid": "d38f695c-5646-4268-93c8-72ce0fd8cc5d", + "uuid": "7341469e-9aea-40f4-9bba-a58f782d96e4", "control-id": "at-2", "statements": [ { "statement-id": "at-2_smt.a", - "uuid": "92e80039-a3c9-4457-a986-39d7d2066193", + "uuid": "7ff42631-c973-4a63-b316-8148ee0e047d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b0a48bdb-437c-4feb-8abd-9fa355e70218", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "69f36561-b6cd-45df-91ec-7b537a25889b", "description": "Add control implementation description here for item at-2_smt.a" } ] }, { "statement-id": "at-2_smt.b", - "uuid": "7495ab8e-8156-4320-a28f-26e8ccb5512a", + "uuid": "2a91960a-c2fd-47ce-84d8-97d49724d702", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d9787cd5-4b0e-4a44-b47d-0b4544461f16", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "013349a6-12f7-440c-a342-7d2ae60ce84a", "description": "Add control implementation description here for item at-2_smt.b" } ] }, { "statement-id": "at-2_smt.c", - "uuid": "bec89f24-7590-4d2b-b1af-93768fbe0b53", + "uuid": "c8017e22-9306-45fd-afb4-4b0dbc1ed334", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5d4da844-129b-49b4-9099-b96ff0bf7c77", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9056fd5e-c4f6-48aa-a63d-cce32f8d6f1e", "description": "Add control implementation description here for item at-2_smt.c" } ] }, { "statement-id": "at-2_smt.d", - "uuid": "818de687-4742-4255-8afd-5fb2fb27187e", + "uuid": "f37d291a-082b-4dab-83ea-2e7ac0ab1aa7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "909b9318-9231-46ea-8d8f-8e5deffbb1a3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "355bafcc-2856-417e-9c2e-7e7e49961413", "description": "Add control implementation description here for item at-2_smt.d" } ] @@ -610,16 +610,16 @@ ] }, { - "uuid": "37986b13-7ecc-4274-82e4-e1b015815521", + "uuid": "bd979ef7-eab0-498f-894f-0716ef8e69b6", "control-id": "at-2.2", "statements": [ { "statement-id": "at-2.2_smt", - "uuid": "d3f13f44-3897-411f-b328-e050be49862a", + "uuid": "a824a9ea-ad68-433a-9aa0-2e1a4e054535", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bc0b8c36-4e75-4a79-963f-fa98d756610b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e7f44e01-61e3-4d23-a2d4-8f157207fffb", "description": "Add control implementation description here for control at-2.2" } ] @@ -627,38 +627,38 @@ ] }, { - "uuid": "9e9d6542-5b3a-44cb-953f-0133dbca50d9", + "uuid": "4e9d9d5f-6358-4da5-bfb2-b58fc67c57eb", "control-id": "at-3", "statements": [ { "statement-id": "at-3_smt.a", - "uuid": "d79aea87-8554-4360-8d45-361b32d347b7", + "uuid": "5866f8c0-b283-4946-a4a7-70cce2fb8faa", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5017b39a-e94f-4b31-be97-ce52f364226e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fa56f805-a340-4c4a-8eba-4da29bb5a4c3", "description": "Add control implementation description here for item at-3_smt.a" } ] }, { "statement-id": "at-3_smt.b", - "uuid": "c383a808-c4cc-47d1-8a7c-cf96b864b176", + "uuid": "6ce02a25-55b2-4746-9acf-97e567de59ac", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "72f21215-84d6-45a6-b56f-6eaf64c8cdc2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "30195a1a-14ef-474d-ae1a-d108f11474e1", "description": "Add control implementation description here for item at-3_smt.b" } ] }, { "statement-id": "at-3_smt.c", - "uuid": "91b487df-e70c-4f93-982a-8191f5ace83b", + "uuid": "a773b1cc-1d9e-48ff-ace1-5edf982e20b4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d1b76975-d3c2-4c26-a65a-80a06d807e28", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6709be29-4502-40a2-b059-a0376fb565dc", "description": "Add control implementation description here for item at-3_smt.c" } ] @@ -666,27 +666,27 @@ ] }, { - "uuid": "59c9465c-91a7-4953-a481-536fcf98ae83", + "uuid": "6451a258-0215-4a94-865f-34eda1ae4124", "control-id": "at-4", "statements": [ { "statement-id": "at-4_smt.a", - "uuid": "2b209147-6788-45d0-87c7-3545faaac44b", + "uuid": "776d6080-cb80-4e87-93cb-e536083c1dd0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2d41493b-a62b-49dc-9c55-a5de6dd81155", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c1422c5d-0955-41f4-bdf3-2e736a83f146", "description": "Add control implementation description here for item at-4_smt.a" } ] }, { "statement-id": "at-4_smt.b", - "uuid": "ed207fdf-9b5b-4be5-a98c-578b709e46d5", + "uuid": "a4eaab25-7f3e-45f1-b73a-aa2ba84c418f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "896ee6b2-7234-4242-a9b8-84cd4da5c1c7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "61ddb776-918c-4bf7-89e5-61ab453f5ec7", "description": "Add control implementation description here for item at-4_smt.b" } ] @@ -694,38 +694,38 @@ ] }, { - "uuid": "16c874b4-cfd7-46e1-abfd-41e190cc2e0c", + "uuid": "16d88b5b-775f-4908-af69-883c27b359fc", "control-id": "au-1", "statements": [ { "statement-id": "au-1_smt.a", - "uuid": "a35aabaf-ed71-4394-932c-657f18507d61", + "uuid": "6d904982-c0b7-4a1c-91d2-5b9bee065bc1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "50014d8e-88c7-4cd2-816c-10a2082d0551", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cf38dcc8-791c-4ea2-b7cb-b466fd822f34", "description": "Add control implementation description here for item au-1_smt.a" } ] }, { "statement-id": "au-1_smt.b", - "uuid": "b0f9f0ef-bd31-4360-bebc-92e956d58f88", + "uuid": "be485e64-5e52-4b3b-84b4-3240c01291a2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5ea83801-e958-48e1-9fba-ee7dd081bd7e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e8057443-3b85-4f20-8cd3-aeb85cea86fb", "description": "Add control implementation description here for item au-1_smt.b" } ] }, { "statement-id": "au-1_smt.c", - "uuid": "68797bc3-b653-4f18-8ef4-853152fea24b", + "uuid": "bee94845-58ab-4db4-8697-7b8a557f9d40", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cd9a9d65-b298-48d2-9418-8a9091fc5d4d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c1233c4d-caf6-424f-b240-256cbeab5676", "description": "Add control implementation description here for item au-1_smt.c" } ] @@ -733,60 +733,60 @@ ] }, { - "uuid": "2f79ab39-e983-4aaf-a5d8-985679f6996d", + "uuid": "f52909b8-a157-4f4c-8168-969e461e52ec", "control-id": "au-2", "statements": [ { "statement-id": "au-2_smt.a", - "uuid": "d1de0269-29cb-489f-8c96-f5dd8c6ce2d7", + "uuid": "424637d8-552a-4631-84e1-49ed796921d7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cc086b23-93b8-4e25-ac07-17f8d5166dd8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e8982d4e-152a-4d95-861b-5e4253698fa0", "description": "Add control implementation description here for item au-2_smt.a" } ] }, { "statement-id": "au-2_smt.b", - "uuid": "526cbc25-163f-4c6f-b10d-faf4227cf96d", + "uuid": "f1c3fc35-c924-43d9-a687-b8daccea55c5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "651a2c68-0599-4a48-be54-18b527f26468", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4408467f-16e3-439c-b46c-8a4eb5009a3f", "description": "Add control implementation description here for item au-2_smt.b" } ] }, { "statement-id": "au-2_smt.c", - "uuid": "a59a46ae-3901-47c6-80fc-675272d0dcce", + "uuid": "4eebc598-5597-43b9-b80e-52b57b4c88c2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0f279283-14ad-4467-be3d-3b338f9873fb", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "aeb4198d-2b59-4f6a-b9b5-292c6781b6c2", "description": "Add control implementation description here for item au-2_smt.c" } ] }, { "statement-id": "au-2_smt.d", - "uuid": "3fc888c8-9070-464f-bfff-a64d0978d841", + "uuid": "f6f2aaee-b349-4fb5-bd87-a6f30846e2db", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9c54f878-f3a7-4a74-b064-8302f00f4fbc", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f42f76c4-409a-48c1-8966-f674a13031f7", "description": "Add control implementation description here for item au-2_smt.d" } ] }, { "statement-id": "au-2_smt.e", - "uuid": "71dc1b49-f58a-4a4c-ae6f-40fbb51eafce", + "uuid": "60b165de-7b39-470c-b268-e192012ae2f1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ec265456-fec6-4c57-9873-34e11004e84e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b600cb16-67c8-41ea-97ba-2f63de423514", "description": "Add control implementation description here for item au-2_smt.e" } ] @@ -794,71 +794,71 @@ ] }, { - "uuid": "86d4be20-2b22-4662-bdf0-94780f5fac60", + "uuid": "9f721e30-d19f-4554-8c74-4202532ab147", "control-id": "au-3", "statements": [ { "statement-id": "au-3_smt.a", - "uuid": "66f8de95-1b00-427e-8b52-3eeaa76a33d3", + "uuid": "f919571f-d8d5-4d6f-8a3d-39f8e2b7f044", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8988b560-52c4-469e-8979-faf21daec71d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a5b832a0-3c90-4744-b921-b72d645fa00a", "description": "Add control implementation description here for item au-3_smt.a" } ] }, { "statement-id": "au-3_smt.b", - "uuid": "6e52d8c1-15b2-49c3-bf00-6f3837d176d3", + "uuid": "1847034b-7699-47c8-8a65-fb8dd29ca11b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "46a1da96-16f2-4d7b-8476-20e4326e7b98", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b700895d-bf6a-449c-a883-c07c7cbd1b26", "description": "Add control implementation description here for item au-3_smt.b" } ] }, { "statement-id": "au-3_smt.c", - "uuid": "b52b39d5-bb0c-45e3-aa71-134281f829b9", + "uuid": "df9f23b7-e963-4422-9c6e-84645e12dfc0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "72d26026-79f8-44c5-9aa2-a44cc8c9641e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "94d6af20-bd13-41a8-91bf-4c60e7010c40", "description": "Add control implementation description here for item au-3_smt.c" } ] }, { "statement-id": "au-3_smt.d", - "uuid": "ffd0129d-5ed8-40d0-9c1f-fe73e8d8c9d9", + "uuid": "80e4a74e-e85d-4821-ab73-c9a8b0d773ba", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "777f6931-f67b-42c7-a35d-7767d87a94d9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d64995a0-9564-466a-a171-7aacbad42587", "description": "Add control implementation description here for item au-3_smt.d" } ] }, { "statement-id": "au-3_smt.e", - "uuid": "7ca283a2-8b06-4aa8-8aea-1dcc9be48478", + "uuid": "0157be41-3114-4cc9-bdb0-690981aefb9d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "49525c06-f606-4fe9-a5a6-08356ce5ab4e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f6f7d635-fcfe-42bf-820d-8f829f2f952e", "description": "Add control implementation description here for item au-3_smt.e" } ] }, { "statement-id": "au-3_smt.f", - "uuid": "a10026f3-611d-4ea7-89eb-5d13c36e9a5a", + "uuid": "692570e0-95ab-4e99-b2c8-6cb3caef1d94", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "07b32717-8cc0-4822-9caf-e66925548b24", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8b23ee3c-1374-48b2-b5b0-89a53098d6df", "description": "Add control implementation description here for item au-3_smt.f" } ] @@ -866,16 +866,16 @@ ] }, { - "uuid": "0bdaa690-372b-4c38-a09f-3e674dcad413", + "uuid": "896d739c-b4ed-4e47-95a0-76a24a63db4a", "control-id": "au-4", "statements": [ { "statement-id": "au-4_smt", - "uuid": "fb571984-0e92-4847-b6d7-b41603405a3c", + "uuid": "2280ff0c-c6d1-40a5-88f9-1544fed97c4d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4d497565-0850-4fdb-82a7-dbe288e19b36", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c5a60315-5292-4084-a0f0-56bd483fdef1", "description": "Add control implementation description here for control au-4" } ] @@ -883,27 +883,27 @@ ] }, { - "uuid": "c05197a8-a643-4e31-9723-e11556d6afe0", + "uuid": "9a917b63-f28d-4a80-9266-fb74c175ce9b", "control-id": "au-5", "statements": [ { "statement-id": "au-5_smt.a", - "uuid": "a9ea6752-4c55-4301-a104-d66e98e2baa5", + "uuid": "c4d4db6b-5751-46aa-8eee-c4c55211f5ae", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7b6e0453-9d7e-4635-9d77-5b930275491f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1372a5d2-a043-4c55-b4c1-6bc80156389c", "description": "Add control implementation description here for item au-5_smt.a" } ] }, { "statement-id": "au-5_smt.b", - "uuid": "ad56331e-580d-4b83-a95b-4d70e1fcd256", + "uuid": "5cc6a70a-f0d0-410d-8a02-9b6665bf4cf9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7a119f65-7a33-4324-b5cb-e9060740b7ed", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0442722b-910c-4f5f-a153-8285a66a8d1e", "description": "Add control implementation description here for item au-5_smt.b" } ] @@ -911,38 +911,38 @@ ] }, { - "uuid": "690dffc8-d089-4b5c-b9fe-0f1fd77f9072", + "uuid": "c6514f1f-1fda-44cd-a10e-02719a2ba97d", "control-id": "au-6", "statements": [ { "statement-id": "au-6_smt.a", - "uuid": "90bf4da1-7780-45cc-aafc-8b179414d1ac", + "uuid": "92d477ef-0da3-43e4-9bb7-b91ceeef5b7b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "964ddef6-8cf8-4451-b2e5-6c65c673646f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ee8caab4-87f5-48a1-90a4-24162a40c974", "description": "Add control implementation description here for item au-6_smt.a" } ] }, { "statement-id": "au-6_smt.b", - "uuid": "ddc7e48e-2378-4eb6-8846-328ec01290c0", + "uuid": "9d9a898f-ecb8-4618-81ba-d48f3a961a78", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cd2b1e9d-f010-4b5a-ae14-248a0741c9ac", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "759cdf70-e8cd-4791-a1b7-93abf54aee62", "description": "Add control implementation description here for item au-6_smt.b" } ] }, { "statement-id": "au-6_smt.c", - "uuid": "ac0d9d00-6ba0-447a-a969-fc07be1b052e", + "uuid": "55a071e6-8939-431d-b120-4ac3bc39ee0a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "63c9aa76-3bfe-4bb1-9d66-64037d432c61", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a724ebf3-ba23-48fe-8c8d-a87dc4f65c18", "description": "Add control implementation description here for item au-6_smt.c" } ] @@ -950,27 +950,27 @@ ] }, { - "uuid": "40695377-7891-4411-ad2b-2b36887727ec", + "uuid": "d5ad03ed-f4a1-4f6c-9f5c-b8e645cef58b", "control-id": "au-8", "statements": [ { "statement-id": "au-8_smt.a", - "uuid": "4b3df300-ba75-41fa-ae0b-b8ea6e4c4405", + "uuid": "a128adbc-2afb-4710-8456-428b0916657b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ac9672f6-3354-49b1-85e4-f69ea2ad30c7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "da8b44dd-f3b5-44de-a872-21f33f5165b7", "description": "Add control implementation description here for item au-8_smt.a" } ] }, { "statement-id": "au-8_smt.b", - "uuid": "198086d5-8d2b-4981-b81f-94a4f69d4da5", + "uuid": "5b8d479e-80ea-4b41-8e83-1704e1e1065d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "668ca2ba-1d02-4607-b82c-907b12401811", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "deb61682-4682-4ec8-8ed2-6d8752fbf215", "description": "Add control implementation description here for item au-8_smt.b" } ] @@ -978,27 +978,27 @@ ] }, { - "uuid": "c5758a2c-04f5-4470-86eb-bf3bd094cef9", + "uuid": "ba748869-3733-4ba3-af46-ef0fd9331402", "control-id": "au-9", "statements": [ { "statement-id": "au-9_smt.a", - "uuid": "b771e137-950f-4ba2-b309-b1473acaae19", + "uuid": "d74c5336-d0f6-41d6-a79b-4c125a55269d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "58ced3f6-d6d4-4d43-829e-7fb3bd7e63a3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fbbb40ad-9654-4d49-9fe6-54adb48b663b", "description": "Add control implementation description here for item au-9_smt.a" } ] }, { "statement-id": "au-9_smt.b", - "uuid": "3777411d-d69f-4f5c-9c89-1359616148d9", + "uuid": "b476116c-1df4-4477-a224-c16acbfdce38", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "783474e2-2cbf-4ac1-aa14-89c227fdeee8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e21e4e63-9cfb-4892-b38c-cb1e17f02f6f", "description": "Add control implementation description here for item au-9_smt.b" } ] @@ -1006,16 +1006,16 @@ ] }, { - "uuid": "a0cfcb30-ba0e-4a0b-bc08-cca3d1bc3739", + "uuid": "b6628000-1a32-427b-85fb-a333e7fc1057", "control-id": "au-11", "statements": [ { "statement-id": "au-11_smt", - "uuid": "dac3b1cd-8cda-4bca-a61e-d4d7795ef77d", + "uuid": "5b140433-f32d-4bd6-b44a-279744f6b6cd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "aebc0cf6-b04b-4793-acf1-8a5380edc50d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e10efffa-dee2-430e-9afc-a5c812444589", "description": "Add control implementation description here for control au-11" } ] @@ -1023,38 +1023,38 @@ ] }, { - "uuid": "335f8c2f-928b-416c-b452-280418a08fc5", + "uuid": "6d186c82-98ff-4803-80fc-e090ca2fc2cd", "control-id": "au-12", "statements": [ { "statement-id": "au-12_smt.a", - "uuid": "09407beb-1f1c-43a4-bd88-e87e6a738a99", + "uuid": "ce83ed98-f276-4081-ba46-1589dc43169f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4184f922-591c-45ff-ace6-a7d3ea2ef754", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "25da3675-8c52-4af9-835f-70a9ca94c2dc", "description": "Add control implementation description here for item au-12_smt.a" } ] }, { "statement-id": "au-12_smt.b", - "uuid": "60f44ac9-ee48-48f1-863e-7774196a5f52", + "uuid": "24a802b6-c8b0-48f1-bf3f-affb5e11c0d1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d742aa55-649c-4d9e-a426-9936c10c573c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c8c20e78-cb32-4f01-bb24-1f4b7f122f64", "description": "Add control implementation description here for item au-12_smt.b" } ] }, { "statement-id": "au-12_smt.c", - "uuid": "1f82c478-a44f-43da-9e1b-59aa51d864f9", + "uuid": "108e9a31-34ef-4f79-ad88-76d81c4bc75d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "84092fc6-c598-4721-85a6-9d7304e3f7a2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3fb6c02d-beda-4c49-adeb-c8f2b953b868", "description": "Add control implementation description here for item au-12_smt.c" } ] @@ -1062,38 +1062,38 @@ ] }, { - "uuid": "ac14fdcf-034f-43b6-845c-5ec1cbd049e9", + "uuid": "cb09586b-33ab-4081-be8d-b254e18c7913", "control-id": "ca-1", "statements": [ { "statement-id": "ca-1_smt.a", - "uuid": "071191f0-68e4-4eb5-8ae5-5015a07ab902", + "uuid": "6312d300-2c01-4fbc-a7e5-bdbf60c2c312", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1e6db02f-f2c1-4214-9116-95f2a8387f1b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "11191935-0b2c-495e-800e-515c1ea895ea", "description": "Add control implementation description here for item ca-1_smt.a" } ] }, { "statement-id": "ca-1_smt.b", - "uuid": "78ea607c-1322-4b70-a9f2-ea50898450cf", + "uuid": "c63407b1-ef7f-451c-98d0-3186a9232934", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "996b8e27-434a-4deb-8cef-c7093b55c188", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "834c558a-7fe3-4d51-8aa9-b7c94bf5c383", "description": "Add control implementation description here for item ca-1_smt.b" } ] }, { "statement-id": "ca-1_smt.c", - "uuid": "5682a810-57bd-4a61-84a7-c4b4968a5d8d", + "uuid": "42ec8a69-3eeb-4cf1-bac9-6cbc8509f4aa", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "36b89a75-0628-4845-b549-94ced3660972", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c57b8614-65c0-4f1c-9b1e-f0e5e05d7b42", "description": "Add control implementation description here for item ca-1_smt.c" } ] @@ -1101,71 +1101,71 @@ ] }, { - "uuid": "28ad16c4-7c35-417a-86a9-bbe0bba671ea", + "uuid": "40eeba9c-8354-43f0-afc6-a96d14487cbd", "control-id": "ca-2", "statements": [ { "statement-id": "ca-2_smt.a", - "uuid": "3dc49c8a-42c8-46ed-81bc-12426143fdee", + "uuid": "b824b4a5-5fda-4837-8672-19269da15348", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "912d7f1c-da5b-452b-9202-aff87bc051d2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ed2f2415-a4c0-422b-a069-88ae8a3dec1c", "description": "Add control implementation description here for item ca-2_smt.a" } ] }, { "statement-id": "ca-2_smt.b", - "uuid": "e1298c6c-38be-4bbd-ab64-3f52c7fcd7b7", + "uuid": "71e11449-c9e9-49fe-9b2f-d2556728908d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "46e56a25-e515-4a8c-a599-b51313340881", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ccaa84b2-0325-4c92-a618-d2945b7ae07b", "description": "Add control implementation description here for item ca-2_smt.b" } ] }, { "statement-id": "ca-2_smt.c", - "uuid": "77622175-af2b-460a-a89c-b7e860557a80", + "uuid": "39f1e720-fc8d-43e0-acf1-76ff6dce559b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3f93a306-cb75-467e-9052-61a8009362fd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ab302057-680e-4818-bbb7-0a6c0c07556f", "description": "Add control implementation description here for item ca-2_smt.c" } ] }, { "statement-id": "ca-2_smt.d", - "uuid": "38e632e4-3a53-4b18-9e1d-1f78bc5e71a1", + "uuid": "12155b08-4773-400e-9dc5-0ad4fa2ef1c2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9b4de2fc-ec13-4443-abfc-11a167a08021", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1f74f515-a074-4359-8507-9a9a5ac26933", "description": "Add control implementation description here for item ca-2_smt.d" } ] }, { "statement-id": "ca-2_smt.e", - "uuid": "05b0aff8-508f-4fae-87b2-4898e3ddcb8d", + "uuid": "1433be3c-39a1-4caa-bd52-800eae8bf48f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "61241915-b64d-440d-af2c-82b99a06f5ac", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "915abe60-6d76-41f9-ae86-d67d348edee1", "description": "Add control implementation description here for item ca-2_smt.e" } ] }, { "statement-id": "ca-2_smt.f", - "uuid": "1ddcf14b-8013-4814-9c8b-480e6368e1cf", + "uuid": "20bec4bc-49a8-46c9-ad2d-2c81d3ccdfa4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d605aa3c-a141-4f67-83df-137c22c74817", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0860b8fa-8766-4166-a689-5e9834bd0ba3", "description": "Add control implementation description here for item ca-2_smt.f" } ] @@ -1173,38 +1173,38 @@ ] }, { - "uuid": "f064db16-33e3-4a0b-ad80-8e10a9d34867", + "uuid": "05cde52a-33b2-497a-afd8-fc689b0807bf", "control-id": "ca-3", "statements": [ { "statement-id": "ca-3_smt.a", - "uuid": "8c8ec80d-521f-4fd4-8e6c-5aac62d1b3eb", + "uuid": "4b281cc1-c98c-46fe-9ad4-3a60e1f48721", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1d2c90fe-be1c-45a8-9ae6-d547c4dce8ea", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a30845cb-03bc-472a-b527-82b58c7091ab", "description": "Add control implementation description here for item ca-3_smt.a" } ] }, { "statement-id": "ca-3_smt.b", - "uuid": "17475df7-aa9f-489f-98c7-a83ca8a743fe", + "uuid": "801c2ebf-7674-4226-b449-d669ede81591", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c02eec6c-0dbd-4a27-9724-a1116e6bdcb8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9279d328-12c0-48aa-918d-5b6817569666", "description": "Add control implementation description here for item ca-3_smt.b" } ] }, { "statement-id": "ca-3_smt.c", - "uuid": "884942a0-a02d-451e-8b93-af9f8d591d02", + "uuid": "420806ce-2842-4712-829d-81b09b880580", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ca11e616-e671-4dd9-9da8-0b3e53d6a658", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3f3d9165-6ea3-4544-befa-01a921158ba7", "description": "Add control implementation description here for item ca-3_smt.c" } ] @@ -1212,27 +1212,27 @@ ] }, { - "uuid": "ae5e6c26-270d-4210-b16e-107a24e5eb61", + "uuid": "5876a961-4fe3-498b-9a1c-420c038ee734", "control-id": "ca-5", "statements": [ { "statement-id": "ca-5_smt.a", - "uuid": "4373b640-a329-4115-a030-f8f0dddf7e52", + "uuid": "8666e45a-45e1-4849-874f-541828edb599", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "20099967-452c-4287-9b7c-21e85185daa0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3259538d-9c2f-46b9-9f75-222e3de62539", "description": "Add control implementation description here for item ca-5_smt.a" } ] }, { "statement-id": "ca-5_smt.b", - "uuid": "5c320ed4-55fc-4c42-9bbf-1651547fdda5", + "uuid": "0c43c62f-b055-4b75-b81d-a8f0e3675e1a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2d4434a3-fdd6-4340-a6ed-f6ddb2a86f72", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f7ec3228-eb4b-4288-805d-c5af9d2bca82", "description": "Add control implementation description here for item ca-5_smt.b" } ] @@ -1240,60 +1240,60 @@ ] }, { - "uuid": "c0fd6ae2-614b-4a36-b0c3-812ae9bb277e", + "uuid": "d4194d8f-aeb4-4498-88a0-30cc2a2eeeba", "control-id": "ca-6", "statements": [ { "statement-id": "ca-6_smt.a", - "uuid": "a3faa2a4-29b0-412c-9452-2bc5b5c66270", + "uuid": "12ab40d4-1c20-48b3-b82e-80b95afd8985", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2a7cff34-d376-490b-9466-48a5853e4be7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "919bd7df-1516-410c-835a-e1c57955a6f1", "description": "Add control implementation description here for item ca-6_smt.a" } ] }, { "statement-id": "ca-6_smt.b", - "uuid": "de9c3d28-fb42-4316-a4d6-359d5deeda62", + "uuid": "e320752e-1b82-46a8-af11-c80619ca0709", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7f3ef9fd-7b2d-4d02-874a-f8de469b98ea", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "aaeb6129-44da-425d-b854-d9a5630272e5", "description": "Add control implementation description here for item ca-6_smt.b" } ] }, { "statement-id": "ca-6_smt.c", - "uuid": "62353ed3-28a3-4a68-8732-0b4911cfd594", + "uuid": "8be97385-0d44-408a-8da7-39d5b9009d36", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a63b89b1-3f0a-4d60-aa59-7a4479b7f0e3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0fd55ced-15ae-4a33-a510-8e11c70c7d93", "description": "Add control implementation description here for item ca-6_smt.c" } ] }, { "statement-id": "ca-6_smt.d", - "uuid": "1692f7ef-b05c-4ca8-828b-520402bf42f0", + "uuid": "2ae9f077-1d29-43e9-832a-b13dc248294f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f016c777-3c61-44d9-853d-73476393bb22", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e96a1bbf-ae6c-4f6c-81a9-2da325fe70aa", "description": "Add control implementation description here for item ca-6_smt.d" } ] }, { "statement-id": "ca-6_smt.e", - "uuid": "6c53fbae-c408-416c-bfb8-8f9117fa661e", + "uuid": "006038ec-d1c0-468c-8b1f-64d17ca637c2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "69dc7664-9ee8-466f-8f6e-1ddb8a00da0b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fd214b51-014c-452d-a8ec-3ae7160a95f1", "description": "Add control implementation description here for item ca-6_smt.e" } ] @@ -1301,82 +1301,82 @@ ] }, { - "uuid": "2b027611-7cb4-40d6-9f6f-cdd20a5f5113", + "uuid": "10605c21-2482-4bb8-b0ff-c29f5d92f671", "control-id": "ca-7", "statements": [ { "statement-id": "ca-7_smt.a", - "uuid": "aa1a510d-2a57-41ef-9ecd-61e948b61ab2", + "uuid": "5fe859d9-eb8e-4eca-b008-d4c658448d0e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "685b9493-0ee9-4219-ac12-84a71a058cc9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "130f0c74-9794-48e4-91a0-106e2bdf8450", "description": "Add control implementation description here for item ca-7_smt.a" } ] }, { "statement-id": "ca-7_smt.b", - "uuid": "134c63a2-69af-4c14-b20b-2aae90551125", + "uuid": "a21bd48d-5b1b-475f-b695-896961cd20d0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "19a69c4a-2fc3-4408-aeee-4faa386a3e4c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cf785dd2-d592-4bf9-8bde-b5177ef3c2a0", "description": "Add control implementation description here for item ca-7_smt.b" } ] }, { "statement-id": "ca-7_smt.c", - "uuid": "750f2e7a-c131-43be-8bb0-0af5d858c877", + "uuid": "1afce6e1-8c70-4306-a2d6-8af798e70228", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4ab99b74-4fb0-4bc7-9e79-c5aa2540f8aa", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ff42475f-e9bd-4a22-8cc4-2591802c72a0", "description": "Add control implementation description here for item ca-7_smt.c" } ] }, { "statement-id": "ca-7_smt.d", - "uuid": "48690e07-bb36-4341-a009-8cee7b6aefe3", + "uuid": "7f0dede6-e8fc-464a-932d-0e7fd731c69b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0943f29c-72fa-41a4-bb35-7acdb6d95959", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "bfa49940-dd78-4985-ae54-22b5679ba439", "description": "Add control implementation description here for item ca-7_smt.d" } ] }, { "statement-id": "ca-7_smt.e", - "uuid": "b8edf63e-fb51-4923-a43c-cc85020ce738", + "uuid": "a024e655-d126-4c3e-8a1b-d2cdf9e1aae0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "45e45e6b-4e6e-4cd6-97a3-59c2edbe3eab", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b7141fa8-d7f5-4b2b-922b-25e3cabc56cf", "description": "Add control implementation description here for item ca-7_smt.e" } ] }, { "statement-id": "ca-7_smt.f", - "uuid": "94997bc4-78bb-4e77-9b43-720ce3db9a06", + "uuid": "3427c99f-d9e4-4f28-85ab-c25ba9f44e25", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1fd09f29-b723-4359-b0b7-522faa4787db", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d336fd95-b043-453a-bc1c-b6144efb1993", "description": "Add control implementation description here for item ca-7_smt.f" } ] }, { "statement-id": "ca-7_smt.g", - "uuid": "157b987f-142c-463a-ac6a-f35d3db279ac", + "uuid": "af20c23b-66e5-4d8b-9b28-577f5a960155", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0f14198e-34ea-4795-8c2a-ad8615aa8f18", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5011da53-0821-44bd-b1b7-20780555f880", "description": "Add control implementation description here for item ca-7_smt.g" } ] @@ -1384,38 +1384,38 @@ ] }, { - "uuid": "880a47ca-4f9a-4a00-b334-8273841bad44", + "uuid": "8c08368d-4882-48a2-bb4c-70c7e7c78363", "control-id": "ca-7.4", "statements": [ { "statement-id": "ca-7.4_smt.a", - "uuid": "bd19d2dd-db1b-4f72-9489-9019e050f669", + "uuid": "369dc158-1963-4020-8ad7-78441479c8ed", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1e780336-8ad5-4dc4-88aa-4e59b22ded09", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7991dd08-4785-41e8-bc25-8c83397986be", "description": "Add control implementation description here for item ca-7.4_smt.a" } ] }, { "statement-id": "ca-7.4_smt.b", - "uuid": "4b130725-4c65-4c29-85a5-edc7ae52ab83", + "uuid": "5234efd9-d474-4e56-94ac-bf6ad103eb6a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d1594072-d75b-44d5-8af3-890e6a263686", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cf37ec28-866b-49cc-be28-3bd5266cd3c9", "description": "Add control implementation description here for item ca-7.4_smt.b" } ] }, { "statement-id": "ca-7.4_smt.c", - "uuid": "a97e90d0-5d0a-4d09-88e4-9eeeee943a74", + "uuid": "9a401728-cbe1-4d6f-9999-9723e754fe1f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d29951f8-838d-4ec8-9654-54bbf5487b55", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "91bea080-c7d5-464c-b43c-7aaa3912bf45", "description": "Add control implementation description here for item ca-7.4_smt.c" } ] @@ -1423,49 +1423,49 @@ ] }, { - "uuid": "9ef03fd9-8d15-4a0f-a2a3-1296a23ca3a2", + "uuid": "8025e5f3-9218-4652-8c57-65c4cebbe3fe", "control-id": "ca-9", "statements": [ { "statement-id": "ca-9_smt.a", - "uuid": "38fef2c2-c748-4e92-8ce5-44999de1caab", + "uuid": "43218026-58ac-4a0e-873b-3a7590e4fd12", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ccb5e4ef-12f5-4797-ab22-0a0074f2376f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f6c61cae-fe0a-4a79-8db8-bf75418094e2", "description": "Add control implementation description here for item ca-9_smt.a" } ] }, { "statement-id": "ca-9_smt.b", - "uuid": "226f1082-542a-4316-a958-586f9d36e647", + "uuid": "979bd8e9-3f79-4c94-baa9-64fbadd511a4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bda8f419-45a7-4944-af95-543a1b4a0540", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ebc0b47e-e8a5-4042-8540-c82787e16e7a", "description": "Add control implementation description here for item ca-9_smt.b" } ] }, { "statement-id": "ca-9_smt.c", - "uuid": "6c2cce54-bf49-40c9-987e-400f20378dbd", + "uuid": "1e735d09-24eb-4178-a063-4d3033a15508", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9e7c5168-34d4-4979-b5be-010ce462289c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f3412d36-9d51-48c0-a1b6-13e8525d2663", "description": "Add control implementation description here for item ca-9_smt.c" } ] }, { "statement-id": "ca-9_smt.d", - "uuid": "56685481-56a2-4b1a-9684-634c8ab146b7", + "uuid": "a71155f6-7f9c-4472-bb25-21b5c85c0977", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cb2d0015-150f-42ca-af25-240a89635504", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8ba5cd30-88af-4f38-af4f-57a7f0e0c243", "description": "Add control implementation description here for item ca-9_smt.d" } ] @@ -1473,38 +1473,38 @@ ] }, { - "uuid": "5dde093d-a561-44a6-be01-d08479260e2d", + "uuid": "6a0c0ea0-df82-4bef-aeca-531896970811", "control-id": "cm-1", "statements": [ { "statement-id": "cm-1_smt.a", - "uuid": "19432734-6571-4a20-b9ab-eddaee8a5ee0", + "uuid": "70660023-159a-42bc-ae93-ff4baef37990", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "06e1a306-a04a-4024-81ad-4e5c1533bc4f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f0b6625e-9839-42a6-82da-888fa77fdb10", "description": "Add control implementation description here for item cm-1_smt.a" } ] }, { "statement-id": "cm-1_smt.b", - "uuid": "e8b5773e-2408-4917-820c-2442d503e34d", + "uuid": "c819fd69-6ea0-4d28-a5fc-7a20e848aa7f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9f330efd-c826-4890-b739-b19b72d68a0f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "73426b75-ea15-4635-a4a2-4c019ac4c73c", "description": "Add control implementation description here for item cm-1_smt.b" } ] }, { "statement-id": "cm-1_smt.c", - "uuid": "7534003f-491e-410e-a69b-93ccc9025f16", + "uuid": "129931f0-cc30-4517-9139-28dae7022e28", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c690dbf2-0370-4f80-9451-43e731664278", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d0f65ac2-d85d-48ed-8706-1a8eb6dcf6e6", "description": "Add control implementation description here for item cm-1_smt.c" } ] @@ -1512,27 +1512,27 @@ ] }, { - "uuid": "8e5998c5-a464-4082-8418-63ad19915c1c", + "uuid": "6b32d812-129f-4c05-9571-5e0aa6e352da", "control-id": "cm-2", "statements": [ { "statement-id": "cm-2_smt.a", - "uuid": "d53861fa-8de4-4c3b-8501-c6a8432bd2e8", + "uuid": "056ae565-e5db-4bed-adae-562b583bbeb9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "aae7d42a-595c-4e3c-9dec-2fdc43a36c91", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e1e73b85-9965-4b08-8714-d0d7051ed5c3", "description": "Add control implementation description here for item cm-2_smt.a" } ] }, { "statement-id": "cm-2_smt.b", - "uuid": "cfcabd0c-a303-4ca2-801a-a56d606147e8", + "uuid": "b1aeea12-ef90-442c-8134-dcb65965e15c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fa677992-c1d9-4e71-a1a7-61447a4d78a5", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "61ec2ff8-7fb6-483a-8575-430131b91106", "description": "Add control implementation description here for item cm-2_smt.b" } ] @@ -1540,16 +1540,16 @@ ] }, { - "uuid": "eb8faf31-1115-4c65-b010-144260439efb", + "uuid": "5bdea050-d965-4e03-af06-fd860eaeedd7", "control-id": "cm-4", "statements": [ { "statement-id": "cm-4_smt", - "uuid": "54b0e537-b687-40be-af54-9484e7c2f9e2", + "uuid": "9b7c6ee0-eacf-41ff-9977-11bf6b1a9d06", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b2f5f98a-6db1-45ef-a1d4-c009c81af006", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "42bcc35f-d046-4b66-b3c5-b917eb87d06d", "description": "Add control implementation description here for control cm-4" } ] @@ -1557,16 +1557,16 @@ ] }, { - "uuid": "620ba024-cbf8-4257-93d0-9aca55c75664", + "uuid": "2069ef67-8844-45b2-917d-34ee9321d1ab", "control-id": "cm-5", "statements": [ { "statement-id": "cm-5_smt", - "uuid": "44044157-f248-47b6-81a4-62f50188d7c1", + "uuid": "ee56bd8f-8a80-4617-93c6-0900a7cb25b1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "61201a01-428c-4acd-979f-e093538b0225", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "576f6e62-0e09-496f-a3de-50563ab935e4", "description": "Add control implementation description here for control cm-5" } ] @@ -1574,49 +1574,49 @@ ] }, { - "uuid": "f8214d48-bc88-4ab7-8c1e-84bb1368b19b", + "uuid": "1d89f24a-f7d8-4c8f-8035-c70699864db6", "control-id": "cm-6", "statements": [ { "statement-id": "cm-6_smt.a", - "uuid": "0a4040a1-b923-4ce3-97d3-a50f36183d01", + "uuid": "8265b9e9-7379-490d-8f93-2010f97585e4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f9584a49-9135-4d64-ae3e-34757f432a0b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4253b39a-d2a8-4eba-909d-a6e29068a90b", "description": "Add control implementation description here for item cm-6_smt.a" } ] }, { "statement-id": "cm-6_smt.b", - "uuid": "9a874b55-542f-4873-92c6-1e55920e1f9e", + "uuid": "c04b9dd7-0144-46b0-9513-94caf2a9f34c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "22ad4021-bb60-44be-98dd-bf2bc61a2338", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a95d88d7-f4e9-4ff3-9456-10767f0ba275", "description": "Add control implementation description here for item cm-6_smt.b" } ] }, { "statement-id": "cm-6_smt.c", - "uuid": "02d5e586-1854-4f8a-8674-da59204be98b", + "uuid": "e4bf64e5-980c-468a-8f50-639d0e9539e0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0655a7e1-9884-48b9-968b-bef78b88539c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f98ad43a-5f74-4daa-a5da-7656fb634896", "description": "Add control implementation description here for item cm-6_smt.c" } ] }, { "statement-id": "cm-6_smt.d", - "uuid": "f8b0fe45-e840-47af-81e4-59af4e3357e0", + "uuid": "fdcc147f-125d-43ab-aded-a01ffb0717ca", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "63e84e1d-401a-4374-935f-cde6663d333b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "17759914-a18f-47d5-a4ca-534575e4102f", "description": "Add control implementation description here for item cm-6_smt.d" } ] @@ -1624,27 +1624,27 @@ ] }, { - "uuid": "21f4aeae-a285-4c6b-96c5-660a685e38b5", + "uuid": "e55e8756-f9b1-41c0-9834-4b010e313eb6", "control-id": "cm-7", "statements": [ { "statement-id": "cm-7_smt.a", - "uuid": "2360c85e-a7b6-417c-9ac0-9ced66e9f500", + "uuid": "932b88f2-a2ed-4a91-a6b8-774e30e4c0a0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "626b7712-58ac-43b9-b6b1-3eb4372b876f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8d4b04d6-f9e3-4d64-bda1-358091e3541a", "description": "Add control implementation description here for item cm-7_smt.a" } ] }, { "statement-id": "cm-7_smt.b", - "uuid": "86e48acc-0a7b-49a7-817b-72d88459cb6b", + "uuid": "202a3779-13a0-4a06-8550-aa4c440be21e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5f63a1cc-a984-40a8-ac9d-a3d2fe8b4380", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "00aa00f2-8bfe-4f4b-8e54-5108272b78f7", "description": "Add control implementation description here for item cm-7_smt.b" } ] @@ -1652,27 +1652,27 @@ ] }, { - "uuid": "91f09af6-3ee5-4916-85f2-22462926d86b", + "uuid": "90adf7dd-c0f6-48b9-8c7a-342294bebbc3", "control-id": "cm-8", "statements": [ { "statement-id": "cm-8_smt.a", - "uuid": "22f3a8eb-f6fb-4b71-86da-8e006ff1ed22", + "uuid": "72de641d-3540-4733-859d-67dd8ebb5f9a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "41666b31-8c7e-4826-b2df-74b230b5f0ac", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "575fa3bc-b8fc-4de0-afd8-77422bc24769", "description": "Add control implementation description here for item cm-8_smt.a" } ] }, { "statement-id": "cm-8_smt.b", - "uuid": "c674e54e-e614-416e-8542-70f913e317c8", + "uuid": "ca1a52f9-6aef-488c-87b6-e7bf24859ca0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1136fd03-34df-4236-94e3-f659f2164f7f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3d56e716-8e9e-44b4-936c-375703642f00", "description": "Add control implementation description here for item cm-8_smt.b" } ] @@ -1680,38 +1680,38 @@ ] }, { - "uuid": "2b84bdf9-f70d-4a60-921d-e139b55ed63d", + "uuid": "2d7811dd-0965-442c-8b7d-110e0302ced1", "control-id": "cm-10", "statements": [ { "statement-id": "cm-10_smt.a", - "uuid": "b7b3caa6-b594-457c-b720-e1c1929a2736", + "uuid": "b3a88625-7c43-40cc-abe4-455744aec7bf", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2cab5c7a-9cb8-4aa8-9684-b389cd64c8f1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "40d2d61e-d3aa-4fc5-89ec-c6f55c829309", "description": "Add control implementation description here for item cm-10_smt.a" } ] }, { "statement-id": "cm-10_smt.b", - "uuid": "4bb3ee2d-4bab-4e36-bd62-a88c540c83c3", + "uuid": "140d6987-68c8-421a-a43a-beb1404538e7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e3736365-2e42-44de-96a6-ee0a0f688cc1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9c1396b8-2b84-463c-96f8-c15a14cc6977", "description": "Add control implementation description here for item cm-10_smt.b" } ] }, { "statement-id": "cm-10_smt.c", - "uuid": "cc29c0f1-1cc3-413b-a102-2a3f8a0cbf30", + "uuid": "37d46929-f9e6-4656-a0a4-4a77f3d72c3d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9df4d6b3-b69f-4f30-ad2e-0e6bb9c800af", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8517674c-5f36-43f1-a3b8-ae6d5a995695", "description": "Add control implementation description here for item cm-10_smt.c" } ] @@ -1719,38 +1719,38 @@ ] }, { - "uuid": "572cdd86-e33c-41c6-990e-d6170b0571cf", + "uuid": "d497e260-34b7-4bec-96da-7799dd85c6b3", "control-id": "cm-11", "statements": [ { "statement-id": "cm-11_smt.a", - "uuid": "f72cf780-e662-46bf-a3a1-bbc9d6e0bcbb", + "uuid": "5cf959d9-da9d-43a4-a906-156bf954ea82", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "41da5241-61c7-4a75-9b32-3cd8c1cd0698", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c81eafa7-1000-4f3f-b828-d1266fe3072b", "description": "Add control implementation description here for item cm-11_smt.a" } ] }, { "statement-id": "cm-11_smt.b", - "uuid": "cb27669d-a74a-4309-9dd6-8cc2e67c70b3", + "uuid": "ea27454b-6b69-411a-8605-3110bdbbf623", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "74dc5ada-7ea7-4b1d-9b5f-53080e7c8d00", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "90581117-8def-440b-b059-4db257304eeb", "description": "Add control implementation description here for item cm-11_smt.b" } ] }, { "statement-id": "cm-11_smt.c", - "uuid": "31d4ce68-297c-4051-b49d-fc0e2b9ad30c", + "uuid": "dc214f67-32fd-4c91-903a-9a619daa8547", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c7767526-6201-4640-b151-144e98f18f81", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2b270d26-d969-486e-9e4f-90594880ffa2", "description": "Add control implementation description here for item cm-11_smt.c" } ] @@ -1758,38 +1758,38 @@ ] }, { - "uuid": "6f5473fc-78e9-439d-878f-3d915dc8f756", + "uuid": "d3f878ff-6c2e-4b5f-b4bd-f722f446e6a4", "control-id": "cp-1", "statements": [ { "statement-id": "cp-1_smt.a", - "uuid": "3311daf1-bcf3-406f-b242-e7e0cbac6a36", + "uuid": "b82be363-28d6-40bb-904b-288e65f4cbed", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "10c3fec4-d7f8-4d9b-b2dc-3a5335c7d141", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d1074b7b-8316-4905-b175-e16ad0385755", "description": "Add control implementation description here for item cp-1_smt.a" } ] }, { "statement-id": "cp-1_smt.b", - "uuid": "bb42698e-e326-4e36-a4b2-2207da7dda00", + "uuid": "8635d2a7-b6b9-4ec4-9220-badbfe10bb06", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "da22aaa3-b5f7-48cc-9cd8-ce329cab7e82", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "bd4e338c-7ea4-4c49-9df0-3d31d63acf9f", "description": "Add control implementation description here for item cp-1_smt.b" } ] }, { "statement-id": "cp-1_smt.c", - "uuid": "575c25b0-3cf3-4ad2-95ea-71966fb3e4c7", + "uuid": "613bfbc2-3c9b-4fc0-936d-0516c3237c04", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "54ad863a-3fdf-492d-bddb-05326442ed0e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "514a0e40-5a7d-49a4-8bc4-c485ab4fe4d2", "description": "Add control implementation description here for item cp-1_smt.c" } ] @@ -1797,93 +1797,93 @@ ] }, { - "uuid": "0ed0e4c3-cdf1-40f7-b92b-691bdba58136", + "uuid": "c27ba59c-bf50-4ac5-b754-d736af7af19f", "control-id": "cp-2", "statements": [ { "statement-id": "cp-2_smt.a", - "uuid": "5c0a1bfe-2ab9-404e-92d6-73694ab6e335", + "uuid": "86ee1f1d-01eb-480e-8e19-4bf24271129f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f7949101-1157-43ee-acb2-d488e575154d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a1724ea0-ffb7-4034-b39b-3b775eed21bd", "description": "Add control implementation description here for item cp-2_smt.a" } ] }, { "statement-id": "cp-2_smt.b", - "uuid": "b1571801-7ab2-41b0-81b9-3c3e3430cc53", + "uuid": "f7e5e635-534f-47cd-96c1-6644e13555f8", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b42a2a93-a42d-4148-99f0-23d84f8a52b0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c92136e2-f9ac-4be5-a075-5f9a968cd8d3", "description": "Add control implementation description here for item cp-2_smt.b" } ] }, { "statement-id": "cp-2_smt.c", - "uuid": "c2664f6b-a7ac-47bd-b3c4-6641fada9360", + "uuid": "09ffc936-6d81-4cf2-ba89-75dd2f313f80", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ac63af4a-eaa0-47b3-a227-681db13b5b70", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d28a0dcf-176d-4b95-884c-1860ac9cf1ca", "description": "Add control implementation description here for item cp-2_smt.c" } ] }, { "statement-id": "cp-2_smt.d", - "uuid": "667ce5b7-e0b5-420e-8e48-2ce377b24db4", + "uuid": "f5de3b55-18be-4996-9081-fc15929814f7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f0e7bb9d-abee-46c4-a58e-35cb02488396", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "65775e8f-f375-4a61-81ee-4b0be6a6cba1", "description": "Add control implementation description here for item cp-2_smt.d" } ] }, { "statement-id": "cp-2_smt.e", - "uuid": "c7294914-3177-4778-8efa-8d00bd3ba3c7", + "uuid": "401f5fa0-0f62-408b-b671-63f1bdfd6ec6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6c12447a-ad59-4e22-8f39-45ec3dce2d9b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e6164dc8-0e28-4439-9357-d7f67d052711", "description": "Add control implementation description here for item cp-2_smt.e" } ] }, { "statement-id": "cp-2_smt.f", - "uuid": "d160bd3a-8518-4173-9ff9-44d47397f7f6", + "uuid": "090c137a-d865-40d4-8c17-7d3d8602d8a5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "265d06c7-9960-4fc6-954f-18b8278df833", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2fe05e33-30a1-455e-8e4c-02d1d998ac3c", "description": "Add control implementation description here for item cp-2_smt.f" } ] }, { "statement-id": "cp-2_smt.g", - "uuid": "dab50fe9-6a81-4922-8df5-027517d2b9ae", + "uuid": "1c6adb26-9f60-4f47-b359-52ad07b04413", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6e736060-bfce-477b-87c9-87785cf48765", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "831817cc-b044-4646-adc3-35efccf93cff", "description": "Add control implementation description here for item cp-2_smt.g" } ] }, { "statement-id": "cp-2_smt.h", - "uuid": "3a187b12-6923-4770-8a38-7a2e5b78cafc", + "uuid": "2fec1502-13c8-45bc-bf11-61bd93384399", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6ca2d958-a4d7-47d7-a959-e9961fb89d23", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0a97136d-c643-40be-b6c3-e78881c74cce", "description": "Add control implementation description here for item cp-2_smt.h" } ] @@ -1891,27 +1891,27 @@ ] }, { - "uuid": "f1feafef-95e7-440a-a1a4-e06f729da9df", + "uuid": "0dc812a8-275a-4ad4-a069-3bd794586180", "control-id": "cp-3", "statements": [ { "statement-id": "cp-3_smt.a", - "uuid": "bf5394e0-8954-489c-9afb-0bfd7befbb01", + "uuid": "ea9507e2-b273-4f11-acc3-ec8c2ec2e1f2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "02d17edd-885e-4603-ae79-a69531c1395e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7b5102a3-0aa6-4ca0-a310-fedc11113411", "description": "Add control implementation description here for item cp-3_smt.a" } ] }, { "statement-id": "cp-3_smt.b", - "uuid": "ee7f46f8-dcf8-48b6-baad-d0f34d0e8c05", + "uuid": "19959b09-03d0-4cc3-89ae-711ec7554587", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "03bd0b0f-1151-4839-9dcb-b6440b77e05d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5f723e22-e5ce-407e-beea-682ceaf6402a", "description": "Add control implementation description here for item cp-3_smt.b" } ] @@ -1919,38 +1919,38 @@ ] }, { - "uuid": "f58adecb-f6aa-4997-9da7-42d59051ead2", + "uuid": "523676f2-53eb-401e-b376-e35721568112", "control-id": "cp-4", "statements": [ { "statement-id": "cp-4_smt.a", - "uuid": "04e46863-8501-4249-9639-babec8daf767", + "uuid": "76990e9f-2c7a-4ea7-ae0f-6ffceda8a7d9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7e18b9f5-c676-467d-a360-b0b6ea6758fd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2494c6a7-28df-4b8d-8b5f-d6133008b774", "description": "Add control implementation description here for item cp-4_smt.a" } ] }, { "statement-id": "cp-4_smt.b", - "uuid": "1d8aff09-fe04-457f-9f5e-8a03ba70adee", + "uuid": "cf1b2836-63f1-4158-bdd4-a4867c44446a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0f06e521-bb30-4be4-8c67-2fa2161a21a7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "bf35a993-85c5-4988-9ebf-516df9e77e1d", "description": "Add control implementation description here for item cp-4_smt.b" } ] }, { "statement-id": "cp-4_smt.c", - "uuid": "7e79250a-64a4-4549-b257-9d71b8efccea", + "uuid": "4cb27a9e-73bd-43f8-91b3-a6eadfc6b82c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f4af08b8-2b10-4bc1-b77a-42af7e64f9d9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b0a9f47d-8587-46ae-a9fa-8e8a802b1a2a", "description": "Add control implementation description here for item cp-4_smt.c" } ] @@ -1958,49 +1958,49 @@ ] }, { - "uuid": "69b400f4-6e05-473c-aecb-56117d090832", + "uuid": "69fdca57-530f-4f95-a60d-d874cb4a7473", "control-id": "cp-9", "statements": [ { "statement-id": "cp-9_smt.a", - "uuid": "4cf5e062-154e-46cb-aac9-ac1a61aabf06", + "uuid": "b1838872-90fa-4dcf-ad13-d7ee9da14bcd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "88e34b0f-3215-485d-92ee-2956574da9f8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7c5fe248-fbdd-4e6a-88b2-b0bae8fbeeb7", "description": "Add control implementation description here for item cp-9_smt.a" } ] }, { "statement-id": "cp-9_smt.b", - "uuid": "fd5b7748-8eff-4729-bdce-e6a63ea2ed65", + "uuid": "685ed009-9b56-47f8-9dd0-a9eaa69d4e56", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "419d3ca9-af06-432d-874d-1fad1418d33b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ed439385-ab6e-4829-a496-b3301b48ca5d", "description": "Add control implementation description here for item cp-9_smt.b" } ] }, { "statement-id": "cp-9_smt.c", - "uuid": "91b3a750-dc9d-4938-a3c4-161b288c79aa", + "uuid": "f1d3be21-eb22-4995-8fc7-2e298d932278", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f1650f6e-fc51-4bd2-99a6-b9b57af6bac0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6c78028d-683e-4271-949d-884d6a9eb508", "description": "Add control implementation description here for item cp-9_smt.c" } ] }, { "statement-id": "cp-9_smt.d", - "uuid": "2dada1af-c281-4aa5-a886-63166a52be72", + "uuid": "9625822a-17c4-4f92-a49a-acca2b15643c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "619ab715-ac1a-4df0-8b15-923b7a5813d4", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "808786e7-1025-45e8-9087-97422b9674b3", "description": "Add control implementation description here for item cp-9_smt.d" } ] @@ -2008,16 +2008,16 @@ ] }, { - "uuid": "586ce779-c751-425e-b61f-13e3a43801e2", + "uuid": "8ddbc456-daf9-4107-8023-2c6e23be5c8a", "control-id": "cp-10", "statements": [ { "statement-id": "cp-10_smt", - "uuid": "6fe19d4c-b467-494b-93ee-6cffbc48930f", + "uuid": "89de1e8c-eb9d-418e-bd6f-62ef405ffcc2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b341c282-52a9-45ec-8f6c-15faa60e0ff7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "83401ac4-72b9-4dfd-95d8-5cf806686032", "description": "Add control implementation description here for control cp-10" } ] @@ -2025,38 +2025,38 @@ ] }, { - "uuid": "5a8a12ac-cac8-4e69-b51d-0907119130da", + "uuid": "31acd4f3-0a73-4d3a-9d47-d50d39980338", "control-id": "ia-1", "statements": [ { "statement-id": "ia-1_smt.a", - "uuid": "b5db0927-4d5e-48bb-ae92-9ccfb3e4793a", + "uuid": "978afb78-6144-45f8-b9e3-726cd1439f0a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "09c75b3e-1e5d-4464-9a74-890d30006c56", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b97b6876-964d-4ab4-86c2-ffac914eddbe", "description": "Add control implementation description here for item ia-1_smt.a" } ] }, { "statement-id": "ia-1_smt.b", - "uuid": "29aa7f1d-af3c-4dd6-b619-f89eff1e6c7e", + "uuid": "d0e3ea07-2f45-42b8-91c2-4cd2813492fa", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e71f475b-bc5b-4063-938c-8cf9bd643a1d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0a855948-bc89-4e48-9e86-a77efcbd5b3b", "description": "Add control implementation description here for item ia-1_smt.b" } ] }, { "statement-id": "ia-1_smt.c", - "uuid": "3946c5d4-4650-4b87-8d40-9957819e73e4", + "uuid": "b8ff6cc0-9fe7-4011-9ec3-649169528740", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9b4b35dc-15e5-4394-a493-3f9195260044", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3facef06-7ae5-468e-8d4e-4516dff5e946", "description": "Add control implementation description here for item ia-1_smt.c" } ] @@ -2064,16 +2064,16 @@ ] }, { - "uuid": "629d2342-6e52-4676-ae35-0900c76a45ca", + "uuid": "60c47624-c680-4769-a72f-f54e718e4909", "control-id": "ia-2", "statements": [ { "statement-id": "ia-2_smt", - "uuid": "221c07b7-de12-41ea-a4a4-2bf1f1335d11", + "uuid": "913d757d-668a-4bd6-9f8d-647449421f87", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e5682c13-0a8c-40e5-a070-257d39934631", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "824e9636-b940-4aa3-a9ee-7646ddb2336f", "description": "Add control implementation description here for control ia-2" } ] @@ -2081,16 +2081,16 @@ ] }, { - "uuid": "67ad17f8-1687-4733-a3dd-ee470987f7d5", + "uuid": "96d879af-59e3-45c1-8452-4e16379edbb2", "control-id": "ia-2.1", "statements": [ { "statement-id": "ia-2.1_smt", - "uuid": "394cf090-5204-4953-8e8e-a32ced8c46f1", + "uuid": "f277d1a0-e240-4a98-b3c9-ab3d47d9d49e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e7802707-be16-4e63-a17b-b5ddde519722", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e0f88f44-fd22-465d-8192-f82eba091d93", "description": "Add control implementation description here for control ia-2.1" } ] @@ -2098,16 +2098,16 @@ ] }, { - "uuid": "76edc0a7-653b-4304-8cd1-6b9b045c2f47", + "uuid": "d1b88337-95f9-4c71-b42b-224a3e8601fb", "control-id": "ia-2.2", "statements": [ { "statement-id": "ia-2.2_smt", - "uuid": "b7722336-13b4-4fdf-a372-9574bf60ca1b", + "uuid": "26ae62a5-389c-4031-87c9-5a1df17bb5b7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "24c548ee-6477-4340-b318-991fda44ec6d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "130e1abd-c16e-4fca-a90c-e0d423939aa3", "description": "Add control implementation description here for control ia-2.2" } ] @@ -2115,16 +2115,16 @@ ] }, { - "uuid": "5b8adb08-2a58-4b99-b403-14e03562cea7", + "uuid": "69c15b37-3f7b-4d65-8a18-ee61d437d5ea", "control-id": "ia-2.8", "statements": [ { "statement-id": "ia-2.8_smt", - "uuid": "449c8ff2-30cf-48c5-aa7c-f4699e2f2763", + "uuid": "c83a401c-6d85-4084-a173-9dad2beff869", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2639a489-c6b7-4eb1-b68a-69fffbe664f3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1d0fd512-83c7-4270-9cfd-17e901e00d26", "description": "Add control implementation description here for control ia-2.8" } ] @@ -2132,16 +2132,16 @@ ] }, { - "uuid": "61fd83a9-756c-4571-93eb-b936a470b7f7", + "uuid": "251b550a-d841-4ff2-84c8-4fd5788c2851", "control-id": "ia-2.12", "statements": [ { "statement-id": "ia-2.12_smt", - "uuid": "da1c7090-1661-477f-a2a3-f2dfb2eb34d4", + "uuid": "16143885-fc13-4318-907a-0d8bfdefb76f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1e8148cc-edf7-48d6-803c-b72aa1940486", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5a056cb0-ff49-4244-aa6e-96b559215cf4", "description": "Add control implementation description here for control ia-2.12" } ] @@ -2149,49 +2149,49 @@ ] }, { - "uuid": "e205763b-b558-4f66-9305-7dc186201bfe", + "uuid": "3fed3504-433c-4aea-a269-812d589c9b9b", "control-id": "ia-4", "statements": [ { "statement-id": "ia-4_smt.a", - "uuid": "8f1979b7-52a8-4216-9486-4b326e73a691", + "uuid": "31bb4a36-8567-4d4f-8b60-eb92fb5218e1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "83a82585-41fd-43b6-a364-ebed0dd038a1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "55cb0707-c177-43f5-8ad2-d34077bc33a4", "description": "Add control implementation description here for item ia-4_smt.a" } ] }, { "statement-id": "ia-4_smt.b", - "uuid": "34a3e52a-94a4-4ce5-a2dc-46fd6c1481ca", + "uuid": "81cded86-a48a-4dc9-99cd-a22611a3131d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3f9881af-e64e-4b62-bf44-108e0eed4a62", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5ebb77b4-8e69-4576-a786-40c98537c95c", "description": "Add control implementation description here for item ia-4_smt.b" } ] }, { "statement-id": "ia-4_smt.c", - "uuid": "5240fbfa-0bee-4bd1-bc8f-9ad42470144b", + "uuid": "24810889-2a8c-4f6f-8b23-463c52cf4575", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "78f7c79d-7ea5-49a5-8e3b-19c56ae50d65", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "48230d15-2358-4661-a65c-1d3d9070952d", "description": "Add control implementation description here for item ia-4_smt.c" } ] }, { "statement-id": "ia-4_smt.d", - "uuid": "0ecd3ea3-0a99-4eed-b68f-b9462e4a115a", + "uuid": "5f599361-77dc-4aed-81e1-4f22455d9869", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ef04557d-6d3c-4fc9-b90b-b5e7246da004", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d42058c2-3abe-4501-8723-905c516bdec1", "description": "Add control implementation description here for item ia-4_smt.d" } ] @@ -2199,104 +2199,104 @@ ] }, { - "uuid": "6a16fadc-1a50-4313-a9a2-631c1bc005e3", + "uuid": "cf0185a5-bd8a-4dec-a3f3-93ebcea2a944", "control-id": "ia-5", "statements": [ { "statement-id": "ia-5_smt.a", - "uuid": "78665434-1523-457e-b9cb-442cea9127ce", + "uuid": "d3af44bf-caea-4cc2-a393-7a6e94abf997", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b1b8d440-9ea3-463f-a688-987fa69696a7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "71a86f21-9972-4e53-8993-2cebd87f83df", "description": "Add control implementation description here for item ia-5_smt.a" } ] }, { "statement-id": "ia-5_smt.b", - "uuid": "8e3a6f01-daad-4d8c-b94d-8ed0fc8499c2", + "uuid": "013b29ea-e6b9-4f4c-b8c8-b25f8e3997f4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e496aba2-6669-4a0f-96a0-21076afb6902", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "33b128f7-0192-4da1-96ab-949b18c68748", "description": "Add control implementation description here for item ia-5_smt.b" } ] }, { "statement-id": "ia-5_smt.c", - "uuid": "72f40639-e7bf-4f21-aa6e-b8cf9dc3c263", + "uuid": "4a0cbcd8-29f8-4f89-bba0-3d908112d24d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f1cb3781-ddae-4424-b854-5db80e67f5aa", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a0d78a0e-d438-4e56-aeff-e2e9a8f18d43", "description": "Add control implementation description here for item ia-5_smt.c" } ] }, { "statement-id": "ia-5_smt.d", - "uuid": "c5ab0377-e3c6-49f0-9fff-3f14d2623212", + "uuid": "738afe37-807a-4870-be4f-4440da9f430d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "de792aa8-5048-4f6c-88b0-8a5a559794a1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "06d5d67e-9056-47fd-9210-0272008579a3", "description": "Add control implementation description here for item ia-5_smt.d" } ] }, { "statement-id": "ia-5_smt.e", - "uuid": "7a1f7c19-531b-44a2-83fa-07cef35dd01a", + "uuid": "88d9fe7b-2085-4539-8df1-65bfbd1cf4a3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b4cd4e29-7871-42df-bd1c-cdb00c6f57e8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d02e6620-40d0-4c6f-9eec-1306fb0259a5", "description": "Add control implementation description here for item ia-5_smt.e" } ] }, { "statement-id": "ia-5_smt.f", - "uuid": "3ffb56ae-14e3-4fb6-8dac-b582b03afef0", + "uuid": "d3632e52-53c3-4cfe-81e4-178456154b19", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "718eab31-ba32-4073-95d1-18c583146e50", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d6c16b87-60a0-4453-a00c-222fe12cc50e", "description": "Add control implementation description here for item ia-5_smt.f" } ] }, { "statement-id": "ia-5_smt.g", - "uuid": "0195a85a-f788-4171-8f6c-8e64e664b374", + "uuid": "c217d667-02e1-43c0-af2b-d3817190bcbb", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5315e4f0-31bb-47bc-95b8-86aac32e0f85", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8dec9185-0246-4bd4-991c-3bdefe0ec23e", "description": "Add control implementation description here for item ia-5_smt.g" } ] }, { "statement-id": "ia-5_smt.h", - "uuid": "5a932bdb-a92c-4f31-aba8-b36a55dd9c50", + "uuid": "915f07a0-5077-4efa-94cf-cb664e4d36a1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "74096185-a7ee-4e8a-a3d8-2c9657000786", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9cf03939-a5b3-4521-974f-38dae9c2e5b8", "description": "Add control implementation description here for item ia-5_smt.h" } ] }, { "statement-id": "ia-5_smt.i", - "uuid": "8e892f51-a405-4217-88ca-d3e16c1de13f", + "uuid": "43528bc4-bd63-4fa2-aadf-c98faba0b18a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "efee2133-84ac-46b5-974b-b3044898ff82", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6ca752be-c742-4827-8972-bbde524b41c5", "description": "Add control implementation description here for item ia-5_smt.i" } ] @@ -2304,93 +2304,93 @@ ] }, { - "uuid": "f8ece737-c622-41e3-b21b-186d9267ab98", + "uuid": "3bf4730d-17c5-449b-ad7d-48c820e73b26", "control-id": "ia-5.1", "statements": [ { "statement-id": "ia-5.1_smt.a", - "uuid": "ff327d3c-a623-4c7d-ad3a-b69077be844b", + "uuid": "a15f1af3-f8b9-417d-9c2b-22b4543cc390", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "10ffa256-8a40-48f3-bf9e-9103280ff040", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2a3995f6-baf2-4487-a49c-63c60e0f7302", "description": "Add control implementation description here for item ia-5.1_smt.a" } ] }, { "statement-id": "ia-5.1_smt.b", - "uuid": "e423ea26-f23f-4e34-9987-ce08c52dc7cb", + "uuid": "e842809b-ae3d-4ca3-a50d-b5df4af5a327", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c212aa41-3254-4b6e-842f-0e969a6ca99d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7a0c971d-21c8-4a3b-82ca-b196ddc187f0", "description": "Add control implementation description here for item ia-5.1_smt.b" } ] }, { "statement-id": "ia-5.1_smt.c", - "uuid": "bc2ad926-d458-4ff5-a6b1-f93ec6e01795", + "uuid": "b7886bba-a9f8-47e7-9ce6-510963b1ecd1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f287fb22-9a8d-4015-817f-6457f0b0f71e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "62e615a7-03bd-47bc-aa69-54a0c81fd1cd", "description": "Add control implementation description here for item ia-5.1_smt.c" } ] }, { "statement-id": "ia-5.1_smt.d", - "uuid": "78c0cf89-ff9f-42b0-b6f1-e7f41cb601a3", + "uuid": "43bdeeee-a8fd-46ee-b329-9c3642f2a68c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1d41c4e4-e51c-4344-8d73-6d95895360e1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "21396041-8887-4872-9c3b-a77b8be90761", "description": "Add control implementation description here for item ia-5.1_smt.d" } ] }, { "statement-id": "ia-5.1_smt.e", - "uuid": "787f4055-ed14-4525-965e-2c8f8b1c2e2c", + "uuid": "c772d9e3-3d64-4f0f-a31a-4e00ef5a6767", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7f47a874-f950-4b64-be32-03a03527de01", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "72be90de-e847-4a87-87ad-b5767399152c", "description": "Add control implementation description here for item ia-5.1_smt.e" } ] }, { "statement-id": "ia-5.1_smt.f", - "uuid": "bb185529-57f4-45a7-be60-0b2d0ee6cbc5", + "uuid": "4cfaa0f1-5725-4b01-be7f-f173e62269a5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "597ba514-829e-492c-8b81-0362aa457094", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "428176ce-2ae8-41e1-9e4f-acca06d5d627", "description": "Add control implementation description here for item ia-5.1_smt.f" } ] }, { "statement-id": "ia-5.1_smt.g", - "uuid": "a761c690-3698-4a0b-a654-5cd06020905d", + "uuid": "f136b0f5-2097-4c9f-befc-b57c181e277e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "218188ea-e358-4872-9f5f-89d3089159b0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d0ea4528-3e3f-4d4b-bb34-ecb157c387bb", "description": "Add control implementation description here for item ia-5.1_smt.g" } ] }, { "statement-id": "ia-5.1_smt.h", - "uuid": "9163c6af-ad66-460e-8142-451098257738", + "uuid": "5d1d846c-aa99-441b-890d-3acfee49892e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f7956e22-b7b8-4791-ae09-307bd6360bad", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "973a39d7-90d0-45fa-bddd-37568f0baa74", "description": "Add control implementation description here for item ia-5.1_smt.h" } ] @@ -2398,16 +2398,16 @@ ] }, { - "uuid": "93939378-7fc9-41c1-9cfe-695fac7ae9f0", + "uuid": "4981f1b1-5931-4776-b920-b61aca8d1b72", "control-id": "ia-6", "statements": [ { "statement-id": "ia-6_smt", - "uuid": "4ee33ed0-79a0-474a-aded-2cfa8515b731", + "uuid": "41ebd5eb-f76a-4a2b-ba0a-ac0834ebac86", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "06febf2d-048d-4d1b-8cd7-1ec69579707c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f287d102-6fb5-4a29-bd09-bc4fcc367085", "description": "Add control implementation description here for control ia-6" } ] @@ -2415,16 +2415,16 @@ ] }, { - "uuid": "4c775db3-3143-458e-9600-974595d833fb", + "uuid": "83f53e9b-289b-4109-8326-ec9844cceb42", "control-id": "ia-7", "statements": [ { "statement-id": "ia-7_smt", - "uuid": "474320fb-40cf-4b5e-ab06-1a9f91529fb7", + "uuid": "84a88207-a8a9-4133-83cc-bf5067ddd74d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "874e28f8-c2ba-4b43-a0db-2b5c119e238c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a445c61b-ec02-42a2-8c5d-2310ba9f8d04", "description": "Add control implementation description here for control ia-7" } ] @@ -2432,16 +2432,16 @@ ] }, { - "uuid": "46cdeade-3b86-4f49-9f33-b1c51e74419f", + "uuid": "5991e86a-79c6-4146-9f7b-247d625a4d60", "control-id": "ia-8", "statements": [ { "statement-id": "ia-8_smt", - "uuid": "ec6a8bca-5ae3-48dc-9349-fcb81dbe7fbc", + "uuid": "295a7000-e406-46bd-9491-44e17cb7b148", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a5deb36f-d162-4b32-997f-db82d3ce04c1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "988fc621-7968-40e6-80f6-e9d69fc84cfa", "description": "Add control implementation description here for control ia-8" } ] @@ -2449,16 +2449,16 @@ ] }, { - "uuid": "af30a978-5ac1-4c7d-91fb-7780759bdd0f", + "uuid": "bcc69dfb-a4e4-416e-85c4-95e1e9d6f8f2", "control-id": "ia-8.1", "statements": [ { "statement-id": "ia-8.1_smt", - "uuid": "bf3b8690-8e78-452c-9b42-fe6dd06e9819", + "uuid": "d4872a51-21dd-4386-9c42-2b0ddc97b7cb", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "285e18f5-7ca6-4581-97b8-2d9f6fd8a53b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "48becb66-7de7-455b-91f6-b5db1f24fcd1", "description": "Add control implementation description here for control ia-8.1" } ] @@ -2466,27 +2466,27 @@ ] }, { - "uuid": "ac0e445f-b71c-4d06-945f-cd7aa273c5d5", + "uuid": "2e7d87f3-c505-40a3-9777-78b88053ad23", "control-id": "ia-8.2", "statements": [ { "statement-id": "ia-8.2_smt.a", - "uuid": "a81603e7-5cf1-4be3-942b-c28c6d0783c1", + "uuid": "bb832064-68ee-4567-a1cf-ba0e9a7c1027", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6abb929c-fd08-435c-8b4b-4d80f244e49d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "62cc2906-ac9d-4630-b68d-d3511a4c86cf", "description": "Add control implementation description here for item ia-8.2_smt.a" } ] }, { "statement-id": "ia-8.2_smt.b", - "uuid": "b5dfcdc9-c4ce-4d6c-a144-c3d8d3c4556d", + "uuid": "fab6312b-5ac8-449b-b5c4-d5634cf7ea41", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "24af7ef3-fdd9-4afb-bb0d-16723f386d23", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "58edb3c5-ea30-4a39-b385-66ef357bf2ed", "description": "Add control implementation description here for item ia-8.2_smt.b" } ] @@ -2494,16 +2494,16 @@ ] }, { - "uuid": "b1632e10-d176-4e0b-a788-184e6eb993b4", + "uuid": "c70e6bb4-52e1-4669-a267-818e405d2b35", "control-id": "ia-8.4", "statements": [ { "statement-id": "ia-8.4_smt", - "uuid": "c355587e-779a-43ad-bedc-296b84ee12a0", + "uuid": "e51ab4b8-1f2a-46f4-b08e-fcd62de0aa52", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "03cb1910-6bb6-47e7-a1e0-67d4ecb14e15", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1eef9401-a8be-4d3d-9cee-ae08a35ffd3d", "description": "Add control implementation description here for control ia-8.4" } ] @@ -2511,16 +2511,16 @@ ] }, { - "uuid": "53e8f366-073c-447e-b6ba-5f19583394f0", + "uuid": "f896d336-bd02-46d7-adaa-d864cf785320", "control-id": "ia-11", "statements": [ { "statement-id": "ia-11_smt", - "uuid": "754d9a36-2249-4eb2-86d9-9844b9e955b3", + "uuid": "7f2aca5b-7256-4efd-b8b6-a080dade67f4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0be90447-c961-4883-92b5-568383916dc7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1cff7b3d-e323-47bd-a47c-4ad5bdbeae2d", "description": "Add control implementation description here for control ia-11" } ] @@ -2528,38 +2528,38 @@ ] }, { - "uuid": "823b7dc3-5607-49e4-9dd8-b4c7442325cc", + "uuid": "dec8a7c9-74a0-46ae-b35d-6fdf9e3ad3bd", "control-id": "ir-1", "statements": [ { "statement-id": "ir-1_smt.a", - "uuid": "9c637f8b-b6a6-4c60-99b7-e8c7e693cf07", + "uuid": "79f6edc5-b13f-46a3-8fa8-8afba6e34db4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c4e1c75e-e42a-4a12-adaa-fe33d18defcf", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8fa73773-3b1f-4875-9b01-080c5d572610", "description": "Add control implementation description here for item ir-1_smt.a" } ] }, { "statement-id": "ir-1_smt.b", - "uuid": "43c6f20e-e77a-4bb2-9375-65d9901b7c78", + "uuid": "7c2c54d6-4d29-472d-a9db-8e5260744def", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e6500116-8c2f-4f7c-9824-2bd1e0a68fb5", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "81792961-33ac-405f-b294-7ca3f32efc5e", "description": "Add control implementation description here for item ir-1_smt.b" } ] }, { "statement-id": "ir-1_smt.c", - "uuid": "98eb9f80-f915-4c9b-9fb1-2f7c5ee89ebf", + "uuid": "dcbfcdfa-2613-409f-a148-d1effbfadfa6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8cbb5dd8-c111-48c6-b351-ffff834a383c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a4987766-fd18-402c-b96d-ed41ffa66308", "description": "Add control implementation description here for item ir-1_smt.c" } ] @@ -2567,27 +2567,27 @@ ] }, { - "uuid": "e6e8538d-f204-4e9c-83dc-dd76bd71eced", + "uuid": "3470aa9d-b780-4190-8565-363674fb9359", "control-id": "ir-2", "statements": [ { "statement-id": "ir-2_smt.a", - "uuid": "8c4f9ded-c66d-4d21-8c89-d27f0ef1d93a", + "uuid": "1c74320d-8e50-4824-ab8f-f8087a8c9f30", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ecc3a857-13a1-4848-8cb2-4bfb1066993c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4ad75ece-416f-4a17-a84c-efef6dbcfa3e", "description": "Add control implementation description here for item ir-2_smt.a" } ] }, { "statement-id": "ir-2_smt.b", - "uuid": "99fc773a-df22-4d7e-8471-c103ed192348", + "uuid": "c00b7a27-598f-4302-b572-cc1b11d21829", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4571e028-d16a-45cd-b85c-f4782d617af4", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "afe12837-6f19-4660-86c9-95322a9c949a", "description": "Add control implementation description here for item ir-2_smt.b" } ] @@ -2595,49 +2595,49 @@ ] }, { - "uuid": "3ba9ded4-ef1a-4b01-bc29-eeba58755813", + "uuid": "74eddcd1-b848-48c6-b53d-25ff142d8356", "control-id": "ir-4", "statements": [ { "statement-id": "ir-4_smt.a", - "uuid": "4fea2336-9e84-4129-a573-6d478f88889b", + "uuid": "9394932f-ce9d-4600-b5f0-bf2c04fab73c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ef0e8da1-565d-4f88-be68-17335c834809", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0d9484a5-2c11-48ae-8cf9-df62a29f2e31", "description": "Add control implementation description here for item ir-4_smt.a" } ] }, { "statement-id": "ir-4_smt.b", - "uuid": "1952582d-0df2-4e46-a53a-57ed58ac816b", + "uuid": "27da670d-d19b-401b-a36d-7a26e6683a91", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c9acbc85-23eb-4344-92fd-35291a8fc906", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9eb01cac-774f-43af-92fa-dbd74b83d801", "description": "Add control implementation description here for item ir-4_smt.b" } ] }, { "statement-id": "ir-4_smt.c", - "uuid": "bb4f6dce-f43f-48f0-8899-2cc9660decd6", + "uuid": "a18be6a3-d7ae-4870-b57b-fa3f0734181e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fe328a23-8f7d-4d19-a429-d08ae4eb2e99", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6744e4d5-302c-4b72-9dec-9d6cd150af4b", "description": "Add control implementation description here for item ir-4_smt.c" } ] }, { "statement-id": "ir-4_smt.d", - "uuid": "294e7683-7a87-4fa2-bf28-ed97a628c044", + "uuid": "5aa041a9-836f-4d96-b1ee-b21e5ba067df", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6752fbc7-4ee6-4b1c-bcf9-ee5cf3bd121d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "abc09dc5-8503-401f-adce-910b90fecb14", "description": "Add control implementation description here for item ir-4_smt.d" } ] @@ -2645,16 +2645,16 @@ ] }, { - "uuid": "8771261f-5c4f-4eec-9d66-d6a0ac347e66", + "uuid": "d7d54180-26de-40bb-8f30-1d8d8aa7be25", "control-id": "ir-5", "statements": [ { "statement-id": "ir-5_smt", - "uuid": "b14b4d0c-f515-43bb-9467-b7f580502acd", + "uuid": "ef2aa1a2-98b7-4548-a43b-9ac5bb4bd4c5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "77943a25-37d7-45fd-b85a-49a63bbee3ad", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d773e743-7901-49a3-8869-b4f4ad388938", "description": "Add control implementation description here for control ir-5" } ] @@ -2662,27 +2662,27 @@ ] }, { - "uuid": "26bf53af-888d-479c-937a-6af05ad31b79", + "uuid": "3dd315e2-2233-4d97-a31a-f5b6b2148570", "control-id": "ir-6", "statements": [ { "statement-id": "ir-6_smt.a", - "uuid": "9d680327-d57a-4339-bc0c-439f0caf50fa", + "uuid": "d533b025-d69f-4b75-9edb-cf7100b01b23", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8d11c7fa-8dda-4a85-bce0-ea794abd1e2e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1cb1228e-a7fa-4232-8c21-8279e721988f", "description": "Add control implementation description here for item ir-6_smt.a" } ] }, { "statement-id": "ir-6_smt.b", - "uuid": "d056783f-30b1-4039-afe1-0fa8f3d35dad", + "uuid": "aea30e53-3740-4130-8d32-6cbc8737c6e0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8b7d220d-c3a4-4c4e-92da-877f2c2ecb05", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fcb34ced-39c6-4323-87df-5c3badbc81fa", "description": "Add control implementation description here for item ir-6_smt.b" } ] @@ -2690,16 +2690,16 @@ ] }, { - "uuid": "83220c2f-0cb7-4bb7-8cee-1be42beba3f9", + "uuid": "4a9a768e-a796-482f-b20f-99b45e03d3ca", "control-id": "ir-7", "statements": [ { "statement-id": "ir-7_smt", - "uuid": "d14941bb-835c-464b-9a62-6413231cc855", + "uuid": "6ea38982-5515-4de9-9e11-6511b9d53afe", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "273a670d-53d8-44e3-8218-521826c85c3d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "82139759-fe12-43ba-984f-c90bef476040", "description": "Add control implementation description here for control ir-7" } ] @@ -2707,60 +2707,60 @@ ] }, { - "uuid": "d3cec4c5-7ee5-4d26-8595-28b3acf28827", + "uuid": "9184f913-9362-460b-9a3b-ba2819d81451", "control-id": "ir-8", "statements": [ { "statement-id": "ir-8_smt.a", - "uuid": "6b17d634-b9f7-44b8-a009-3e6a0bd87882", + "uuid": "fa62fa27-0315-453f-b3b9-de1bbb421636", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dbbfc5ba-f0d6-4aa2-bcfc-4561343c8de0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8b8bf2ae-730b-42ac-944c-6d00943452b6", "description": "Add control implementation description here for item ir-8_smt.a" } ] }, { "statement-id": "ir-8_smt.b", - "uuid": "7bffba9e-ac03-4360-b77b-e6cda059ae9b", + "uuid": "10019eda-c31b-47f6-bba4-50a3fb173b71", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0420d8df-a116-4a79-9a3f-2deeb85e8ab6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1a81a87a-28a0-49aa-a16f-55b04b3d68e5", "description": "Add control implementation description here for item ir-8_smt.b" } ] }, { "statement-id": "ir-8_smt.c", - "uuid": "cb77d7af-3ea5-4ba4-a235-4cf9009f0a5d", + "uuid": "0d7e4520-7e7e-4003-bfa5-d78d8c8de609", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "22d6e827-ff14-4db4-8356-9a9910135370", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "dde627f0-5842-4f08-810a-a1768567d3d7", "description": "Add control implementation description here for item ir-8_smt.c" } ] }, { "statement-id": "ir-8_smt.d", - "uuid": "79fe4b8b-79b0-4f6e-87b6-f16c5f9af32d", + "uuid": "def61583-493a-43ab-b0c2-959668248232", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ffc94724-0ce2-4bf0-8caa-218320a974ef", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "593b029c-f63b-4cf6-8431-7898821d8bc7", "description": "Add control implementation description here for item ir-8_smt.d" } ] }, { "statement-id": "ir-8_smt.e", - "uuid": "c3c20020-e3ef-4b9c-b74d-82e4932f47ba", + "uuid": "970ef9ad-1b2b-4cae-bbb0-29e51db13da4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0715c4c0-f461-4768-97dd-04da288cc429", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4c38ba0c-e653-4e53-a71d-3b130f356416", "description": "Add control implementation description here for item ir-8_smt.e" } ] @@ -2768,38 +2768,38 @@ ] }, { - "uuid": "bd1c6189-e15d-41b5-a5c3-a13771bcd223", + "uuid": "b79c6b71-8275-432c-b81b-5e628f7b6c4e", "control-id": "ma-1", "statements": [ { "statement-id": "ma-1_smt.a", - "uuid": "953ebd69-174b-46f7-b660-42f2f570564f", + "uuid": "117ebc00-7e8f-4d06-bbd4-9ca2ff6af5c4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c33646ac-0d48-4e1e-91b8-1a56a6567e87", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b8f49815-d191-4be8-a8da-fe3ab20f0afd", "description": "Add control implementation description here for item ma-1_smt.a" } ] }, { "statement-id": "ma-1_smt.b", - "uuid": "ad96ca0d-4782-4554-af09-018d5f8b17c7", + "uuid": "7a14ed63-8fe9-4e76-be9b-20074f034af7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0e3f9236-6644-429e-8960-3abffbe25b84", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1afe6099-7b88-446f-93bd-9efcd03b93d3", "description": "Add control implementation description here for item ma-1_smt.b" } ] }, { "statement-id": "ma-1_smt.c", - "uuid": "ac8ef617-49a8-47a6-b0ac-962de6ff6d56", + "uuid": "2195acce-3a1e-4877-8437-2a83c5033325", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1cf29e48-72c2-4952-b458-6718a6705c2c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "025f3390-6f01-4844-8539-63b6b3579095", "description": "Add control implementation description here for item ma-1_smt.c" } ] @@ -2807,71 +2807,71 @@ ] }, { - "uuid": "1e9ba260-356d-4714-b858-6b1e39a0ea39", + "uuid": "2c7f3fb6-4ec6-46c9-bb07-2f515a8578f3", "control-id": "ma-2", "statements": [ { "statement-id": "ma-2_smt.a", - "uuid": "d677e3dd-9d21-4d69-8f9e-9df3f203597b", + "uuid": "0ecbeeec-2d3e-4659-a1e3-3aa549bb83cd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a9e019f6-0962-4dbf-8912-547b4de85cf2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1fe809ab-854d-4c22-ae57-35be9cb6c800", "description": "Add control implementation description here for item ma-2_smt.a" } ] }, { "statement-id": "ma-2_smt.b", - "uuid": "7ae1bf80-c80f-4fc7-9775-4d68b3128463", + "uuid": "9b76b7ef-a64f-49e4-b484-f5c70db3b6fa", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "44aa623e-5c4d-4a29-b686-3f57a7fbd6e9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9a18569d-b874-4dbe-94a9-7b566b52b94d", "description": "Add control implementation description here for item ma-2_smt.b" } ] }, { "statement-id": "ma-2_smt.c", - "uuid": "fe6ed9a6-5b39-4065-90e0-3eea28c708e3", + "uuid": "86061d8e-f339-4394-adb1-33b3383675dd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "58f1873b-6c6d-4261-b408-97572bb6cd2b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "dae6af81-afb1-4a63-9e86-3fea945beb13", "description": "Add control implementation description here for item ma-2_smt.c" } ] }, { "statement-id": "ma-2_smt.d", - "uuid": "98778446-7b31-4b6e-940e-762cc22fe232", + "uuid": "ba17520b-1bfe-4b0f-981d-00edc0c9cef4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d1246f36-b360-4745-a194-58a48e80f0b3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e6cc0b27-b84f-461d-b5e5-ca56359f978e", "description": "Add control implementation description here for item ma-2_smt.d" } ] }, { "statement-id": "ma-2_smt.e", - "uuid": "0fdfac57-c989-4007-9849-a8a90f8c7676", + "uuid": "1d0eff91-9e08-4530-9a78-6873ae75003b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b53ccfe4-e5ec-40ad-b8d3-42fa9c422399", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7abf8726-db9a-457d-b892-53f2259c78d3", "description": "Add control implementation description here for item ma-2_smt.e" } ] }, { "statement-id": "ma-2_smt.f", - "uuid": "e5636c54-4def-45e6-9bb1-e421a87911ea", + "uuid": "c718673a-3f41-4e21-bed4-67874938e5a6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6f5c5241-cf58-45a4-8f02-ea956eec1f1b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c5409594-87fc-48d7-84ea-3c01d88196ef", "description": "Add control implementation description here for item ma-2_smt.f" } ] @@ -2879,60 +2879,60 @@ ] }, { - "uuid": "edbe27c3-6706-4f9c-a968-a8770f5a3b5b", + "uuid": "2ec7c60c-cb46-4f16-9572-900b2c49f989", "control-id": "ma-4", "statements": [ { "statement-id": "ma-4_smt.a", - "uuid": "d17affbb-c871-4603-a238-4b7aaad8447b", + "uuid": "64f609f7-2ff9-4695-ac78-07fc8f4da2d2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1bf1eaa8-afba-41a3-a7c5-9c97a63e2751", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0fa5c739-66b7-476c-b158-31d527505e61", "description": "Add control implementation description here for item ma-4_smt.a" } ] }, { "statement-id": "ma-4_smt.b", - "uuid": "8a97ebf2-2a7c-46b0-8a13-90cb8e507019", + "uuid": "8633e9f6-747c-4fe2-99fd-c007f2f8b816", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cfcb33f6-b054-4051-8fea-ebd4529d4785", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6f537a04-7c4d-4c7b-9132-28d8048a4400", "description": "Add control implementation description here for item ma-4_smt.b" } ] }, { "statement-id": "ma-4_smt.c", - "uuid": "d88425e8-e718-4220-b453-449f246d288a", + "uuid": "337fc4c4-30f3-442c-b759-554c85e1083c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ea86873d-2ae5-4deb-995d-a9363d02f3c4", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f8572dcb-f8ca-47ff-a209-74e04856e995", "description": "Add control implementation description here for item ma-4_smt.c" } ] }, { "statement-id": "ma-4_smt.d", - "uuid": "0b8132c5-d08c-4af5-b83e-1733fdb93382", + "uuid": "d3d4556c-05b8-42c5-8f83-b105fa38b10e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "29395e9c-e0d2-45a4-aa92-cae69bfb2fff", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "479aa1fc-7848-4f80-a490-82ed0c266188", "description": "Add control implementation description here for item ma-4_smt.d" } ] }, { "statement-id": "ma-4_smt.e", - "uuid": "2c9bfc7d-1aee-479f-95b6-774a8dfb847e", + "uuid": "6c91c5ec-e003-41f8-9489-d11b15e587d4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "75ac40b5-542f-4496-995e-30ab9a5e8c94", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "61362036-bd91-4e0e-a13f-386914199f74", "description": "Add control implementation description here for item ma-4_smt.e" } ] @@ -2940,38 +2940,38 @@ ] }, { - "uuid": "47798d85-9016-41d8-9de0-f388e25d5820", + "uuid": "583ed5ad-3210-4690-97f8-b638a41dd5c0", "control-id": "ma-5", "statements": [ { "statement-id": "ma-5_smt.a", - "uuid": "0b50950a-dffd-4180-872a-959324a5a94b", + "uuid": "bde27620-d700-4a34-9a35-a89ba1919398", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "eecf010a-29e2-4e22-b33b-b12ec080f2af", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b07c93b6-8154-46c6-91b4-25bd958409e9", "description": "Add control implementation description here for item ma-5_smt.a" } ] }, { "statement-id": "ma-5_smt.b", - "uuid": "693c5ee9-dd3f-4fce-8a44-7350d0fe1012", + "uuid": "0ea0e181-548c-4843-be0b-24627f36a56d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "73e3f4e2-5eb8-4cb9-8690-2db2f4435564", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2eada05d-09be-4f02-8862-643180d7df20", "description": "Add control implementation description here for item ma-5_smt.b" } ] }, { "statement-id": "ma-5_smt.c", - "uuid": "1480ecb0-7091-443f-991d-16c8c0388a32", + "uuid": "6ed68c5e-d7a0-4e27-aded-5d45d0b33ff9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "aa1ab2b6-f043-46b7-b89d-82787f53af15", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "698202b5-b96b-4373-b636-e79d4db34662", "description": "Add control implementation description here for item ma-5_smt.c" } ] @@ -2979,38 +2979,38 @@ ] }, { - "uuid": "d0c2d26c-2016-45cb-b75d-c33976e93d38", + "uuid": "6fc0dd5a-55fc-4f1b-9eda-b35b131bb592", "control-id": "mp-1", "statements": [ { "statement-id": "mp-1_smt.a", - "uuid": "b962c64d-97f4-4390-a0c2-ae61cb76df01", + "uuid": "0e14c0bc-4755-4b80-af78-adc47d648d43", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "403377bb-1e23-414c-90fc-78783af4b01c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5bc66097-b889-497f-a920-0dadb0221f93", "description": "Add control implementation description here for item mp-1_smt.a" } ] }, { "statement-id": "mp-1_smt.b", - "uuid": "cd007371-e400-4da0-98ca-caeb7bc4ec1f", + "uuid": "7ddd8334-a60e-4221-8a93-55f3bc86c341", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4f3dff23-0754-4413-bab6-6aaa6f1f3477", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d93d89b0-4945-44c8-bd5f-8d101c63ba50", "description": "Add control implementation description here for item mp-1_smt.b" } ] }, { "statement-id": "mp-1_smt.c", - "uuid": "5bc8732e-32fb-4319-8250-7e8faaa1c29c", + "uuid": "c2ece431-d0a5-4222-962d-d968604a120b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c0ef169c-980b-43da-91a7-b96d2cf1c194", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2eadf143-08ff-4d25-83cf-bcfdbc54b0d3", "description": "Add control implementation description here for item mp-1_smt.c" } ] @@ -3018,16 +3018,16 @@ ] }, { - "uuid": "a3372d49-4397-4c4c-a45a-1d264106a5f8", + "uuid": "a84a847d-157b-421e-8a12-28b1ebf9e010", "control-id": "mp-2", "statements": [ { "statement-id": "mp-2_smt", - "uuid": "d5a55e60-182f-4e8d-a92d-fc18b24b0655", + "uuid": "d36b2af7-9867-414d-ae6f-57322d16402b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "31612822-5132-413a-8c75-68520c908fea", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c41f1dc1-141a-435c-b91a-44cc741b3da0", "description": "Add control implementation description here for control mp-2" } ] @@ -3035,27 +3035,27 @@ ] }, { - "uuid": "f40a204d-e69b-478b-ba3a-ada6734b2870", + "uuid": "790c9dab-0cb6-4044-a0f3-c894bc9b848e", "control-id": "mp-6", "statements": [ { "statement-id": "mp-6_smt.a", - "uuid": "40240f00-ca65-4f15-98d8-10e045014ba8", + "uuid": "7aa9281a-4aaa-4198-838e-2f7a3ab6fff3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "67163f36-7db6-4ab6-b317-ff82837bc83e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "968027b7-939d-4dd3-9b40-3a7aa4845a5a", "description": "Add control implementation description here for item mp-6_smt.a" } ] }, { "statement-id": "mp-6_smt.b", - "uuid": "89358f0b-dcaf-4808-b229-ae2ea75ce259", + "uuid": "c6027113-c86c-4a40-86a7-bcf01b353ec1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ff05eaeb-84d2-4aa5-bb74-8f2c685f3d2a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1655d6d4-15cb-45a3-8a24-de96b6bbecfc", "description": "Add control implementation description here for item mp-6_smt.b" } ] @@ -3063,27 +3063,27 @@ ] }, { - "uuid": "682c8e07-efc0-4cf1-8745-0e2d39fc9d8a", + "uuid": "bdc01b36-d74b-4e37-9f53-ce3de26ff253", "control-id": "mp-7", "statements": [ { "statement-id": "mp-7_smt.a", - "uuid": "50fefb2c-e043-4962-8ad5-98f480078666", + "uuid": "1c235771-1bc5-4db2-92dc-ecf14a52f9ca", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "57c7ab8b-e472-44a3-8205-a20d2778c580", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b855953b-ed28-440f-a6cf-905e60028f31", "description": "Add control implementation description here for item mp-7_smt.a" } ] }, { "statement-id": "mp-7_smt.b", - "uuid": "3033fdda-8afd-43eb-97fe-881a45c10730", + "uuid": "4a3edac5-ccb6-4f8f-a636-fd3ceacf5808", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f8f45e65-09a5-4e34-ab00-e81d775508ac", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "03da7a06-922f-4345-be8e-b701ec9719d6", "description": "Add control implementation description here for item mp-7_smt.b" } ] @@ -3091,38 +3091,38 @@ ] }, { - "uuid": "e84272c6-be03-4d18-95e6-8d1db8a65fca", + "uuid": "1d16f277-b831-49ed-945d-399fda5fac3e", "control-id": "pe-1", "statements": [ { "statement-id": "pe-1_smt.a", - "uuid": "3ff059c1-4cad-4556-af38-2762ef2f726a", + "uuid": "bd804b69-2eca-41e6-86e7-83045166ea32", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "af45f881-ede4-463f-8cc1-6b8813a36217", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b40cfe56-3b28-453c-be9b-82168e51a6dc", "description": "Add control implementation description here for item pe-1_smt.a" } ] }, { "statement-id": "pe-1_smt.b", - "uuid": "57a89512-02ed-4179-8f6c-049fd7b17576", + "uuid": "5c3d2f74-bfc1-470f-897d-23fcd1ce2c86", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "78fc9790-3f69-4606-b62d-9b6497e63598", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "49a32e3f-680d-443b-9268-842e1a78a40e", "description": "Add control implementation description here for item pe-1_smt.b" } ] }, { "statement-id": "pe-1_smt.c", - "uuid": "1e0f5c11-63c3-498e-92fb-8a71e5f62899", + "uuid": "a0bb1125-718d-4430-8572-ccc2157fb0c0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b72a8c25-f32b-412d-b9c1-9419a253099f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6ed9af99-c8eb-4cb0-aa6c-ade1d9a4f9e7", "description": "Add control implementation description here for item pe-1_smt.c" } ] @@ -3130,49 +3130,49 @@ ] }, { - "uuid": "102ad31d-3b39-48a0-b746-20c3ce3d7cdb", + "uuid": "d8557c71-51ff-492d-93e0-98733966a44e", "control-id": "pe-2", "statements": [ { "statement-id": "pe-2_smt.a", - "uuid": "125e4d75-1539-4ce0-ae68-5ca322fb65fd", + "uuid": "0b8ebf18-936a-4e17-b60b-aaba6f4b55c2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4ee5fee9-5d31-4601-8128-d166980d04d3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5210c90e-e421-4b88-b07d-0a68a27c601a", "description": "Add control implementation description here for item pe-2_smt.a" } ] }, { "statement-id": "pe-2_smt.b", - "uuid": "b032571f-ae39-4144-8dd9-f65ec75aff86", + "uuid": "dca9d481-b526-4890-8b0a-65bc9b18d08a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "400d8bd2-e3fd-4c70-8f60-7fd8dafd9cc3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "371f8613-8632-4d8c-b531-807334d503b5", "description": "Add control implementation description here for item pe-2_smt.b" } ] }, { "statement-id": "pe-2_smt.c", - "uuid": "8ddfbe83-e662-4c50-b511-b5b44aedf9e4", + "uuid": "b4e01ef9-b33d-4dfc-9030-af58d75edab2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "814f8caa-ef4b-4375-b7d8-b0ed61194a8d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "768263de-fd7c-4164-9e65-0234ef200b7d", "description": "Add control implementation description here for item pe-2_smt.c" } ] }, { "statement-id": "pe-2_smt.d", - "uuid": "25a7b683-3a76-4bb2-9c07-ce0563e01599", + "uuid": "26359ca9-fde7-4de2-9f5c-534be1c2fd91", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a7c68a05-7d20-43c3-b344-c54dfa88d93c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "dbb90db3-12af-4b59-963f-bf4af7821ea3", "description": "Add control implementation description here for item pe-2_smt.d" } ] @@ -3180,82 +3180,82 @@ ] }, { - "uuid": "fc228117-3df5-4d56-8865-eeb8f3c4d3d9", + "uuid": "b0b08e25-b45c-44f8-bf8b-b923b419bc09", "control-id": "pe-3", "statements": [ { "statement-id": "pe-3_smt.a", - "uuid": "7764a7cf-d601-4518-8523-d39a3f6a8cda", + "uuid": "0ecfeab1-e9f0-4c24-973f-8930ca2bf5fd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6fad4074-74b7-473e-9305-569edb1598ff", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b5a28c33-f205-410c-a379-2faaa65ddb0b", "description": "Add control implementation description here for item pe-3_smt.a" } ] }, { "statement-id": "pe-3_smt.b", - "uuid": "59d6b808-af6d-41df-b1a0-a8269b7cf846", + "uuid": "5e1cb478-2774-4f38-8873-ee6fc7c282ae", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "358e340f-2a83-49fe-bcbd-c3414541f344", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "02050a26-b9af-4e7f-a755-5dfcf21b8f64", "description": "Add control implementation description here for item pe-3_smt.b" } ] }, { "statement-id": "pe-3_smt.c", - "uuid": "15c126bc-fef1-4785-b2ba-27fd6c80e9fc", + "uuid": "20d83b5f-eef2-4174-8b8f-345e7c40d6e7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "46df167b-41b8-4e5a-8e29-b7a0200026ae", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4256525c-1465-4537-8c1f-7513a1007e34", "description": "Add control implementation description here for item pe-3_smt.c" } ] }, { "statement-id": "pe-3_smt.d", - "uuid": "c186a76d-54ae-4885-8a96-9dd33dbee64c", + "uuid": "bd740fac-b10b-4bbc-9c30-d520f200bad3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "19aa6698-ff93-4001-9d9b-8c1a956353c0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f01f6651-cf6b-4b0c-a0d0-5b713331e9eb", "description": "Add control implementation description here for item pe-3_smt.d" } ] }, { "statement-id": "pe-3_smt.e", - "uuid": "91f658bb-51ea-4bbc-a54c-fde7e21fdc11", + "uuid": "4efc0122-3304-4e58-92f5-64bbdbcd373b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a8043a07-732a-44a9-8b83-72577fc03536", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a76eedbc-752f-4f04-b3d8-8ff64c93ead6", "description": "Add control implementation description here for item pe-3_smt.e" } ] }, { "statement-id": "pe-3_smt.f", - "uuid": "1d0a0603-3616-4721-9536-daa17de253cd", + "uuid": "06a29fdf-ee9a-4117-b7b3-2281c67105be", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "959f5264-8237-499f-9535-6039a39fbc43", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7920fde0-b034-40c0-97f0-efd72f0ac2e3", "description": "Add control implementation description here for item pe-3_smt.f" } ] }, { "statement-id": "pe-3_smt.g", - "uuid": "235e5eb3-8d99-447d-b278-143fed4ade26", + "uuid": "c8f45b6c-02f2-46e5-aefc-d6af9dc5f61a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "29f6bb94-076e-4a16-91d0-dc13c85d9418", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "2ed1a08e-832a-4518-81fa-87fd88c04658", "description": "Add control implementation description here for item pe-3_smt.g" } ] @@ -3263,38 +3263,38 @@ ] }, { - "uuid": "f02f15d3-b9d7-4700-bc40-cf2d24da2e85", + "uuid": "297b8626-b48c-49b2-8633-910f370ad0fb", "control-id": "pe-6", "statements": [ { "statement-id": "pe-6_smt.a", - "uuid": "03c40a3b-3def-4ff7-a6e4-592ac18cd3ad", + "uuid": "b0cb116c-dc27-4e25-b963-074e2219945d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "524e9ce5-f2bf-4eee-90cf-4b079c9e7357", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f8ebf487-2649-419b-8eb4-4c2790043d06", "description": "Add control implementation description here for item pe-6_smt.a" } ] }, { "statement-id": "pe-6_smt.b", - "uuid": "6b138c19-1824-48ac-9d04-3497544ada5a", + "uuid": "1a798b47-3710-4654-a528-fb767b32622f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "95024e89-428e-4429-b220-50981d1cfeb1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "52f3cc86-6497-4f82-8172-56ba1347e41c", "description": "Add control implementation description here for item pe-6_smt.b" } ] }, { "statement-id": "pe-6_smt.c", - "uuid": "d59c118b-9cf5-497f-8945-108f952c6b12", + "uuid": "e4ef3e39-bdad-482f-89d3-8b21ae8965f9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f7089a4f-4518-40f0-a000-be62da7136d6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "861afa8e-5f2c-4427-b2a3-dbca6232f7d4", "description": "Add control implementation description here for item pe-6_smt.c" } ] @@ -3302,38 +3302,38 @@ ] }, { - "uuid": "c709614f-7c8c-4d27-89f6-c619d6c8533a", + "uuid": "96912423-a77c-42ca-9d5c-2d008a681384", "control-id": "pe-8", "statements": [ { "statement-id": "pe-8_smt.a", - "uuid": "5f31185b-57fb-4947-b4c2-c2fbf0e7c21c", + "uuid": "4987c84b-5a96-4a22-a82f-d1e49bea458f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "99c48d73-97cc-47bc-abe8-840a2d44d98a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9cc24a83-ca78-4c36-96c1-ebfce1638684", "description": "Add control implementation description here for item pe-8_smt.a" } ] }, { "statement-id": "pe-8_smt.b", - "uuid": "ca4ca681-9cce-4e2d-b5a5-3f65359d1b74", + "uuid": "bdf1cf23-b55c-45ed-b2ca-3c33ffe9c0d0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9bc32fad-4398-419a-afa4-4d2b66902cc7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5d90ca45-92ee-4ed4-836a-36d96f06d3dc", "description": "Add control implementation description here for item pe-8_smt.b" } ] }, { "statement-id": "pe-8_smt.c", - "uuid": "ea39ac27-fafd-46ab-b281-297451346dfb", + "uuid": "bcb80d2a-c56f-4a30-bb60-d6c6f9b16fa6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1123983a-e422-4027-8ff8-ca67a6a8676f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c1d1dd4a-1ad6-4b44-8567-ffcdffea7438", "description": "Add control implementation description here for item pe-8_smt.c" } ] @@ -3341,16 +3341,16 @@ ] }, { - "uuid": "e7b31f9b-fbb9-4166-b633-6695b98cb72a", + "uuid": "751b79ad-fbd4-4669-b82c-94ae9140cc86", "control-id": "pe-12", "statements": [ { "statement-id": "pe-12_smt", - "uuid": "1d601534-380e-4585-847f-3cf2e5a54d7a", + "uuid": "b826a355-e311-41bd-b98a-d53746a2321b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d424fabf-ac2d-4de2-8a45-eced2c016688", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c376cc91-04a0-4293-8010-4b3a8c6db153", "description": "Add control implementation description here for control pe-12" } ] @@ -3358,16 +3358,16 @@ ] }, { - "uuid": "339cc4f4-dafb-499d-a5ca-19ac63835fa0", + "uuid": "34c4d544-c20c-4bdd-9063-658d89cf5c8c", "control-id": "pe-13", "statements": [ { "statement-id": "pe-13_smt", - "uuid": "2236b2d9-9f3c-4206-ad47-4de0277e45a8", + "uuid": "b777a147-9edd-4f54-b89f-8d1c9c6f2319", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "93521645-fccd-4142-8b14-1ad41e29c4b8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6e655cb9-f91f-4e3d-874f-1b5c6061728f", "description": "Add control implementation description here for control pe-13" } ] @@ -3375,27 +3375,27 @@ ] }, { - "uuid": "5072599f-4a4b-438a-a3ae-5e95ff889ea1", + "uuid": "d743e7fe-13f6-4dfa-a46b-ca2d0f16c7fe", "control-id": "pe-14", "statements": [ { "statement-id": "pe-14_smt.a", - "uuid": "7a4270ab-bca1-4584-9956-1ed6d088788f", + "uuid": "9fc4357a-4bde-4b78-b459-0e953cb1995c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "697b0111-4838-4966-9fb9-a9d0a96f8f1e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4f4559a9-f1f5-4903-bcf4-84f359481f3e", "description": "Add control implementation description here for item pe-14_smt.a" } ] }, { "statement-id": "pe-14_smt.b", - "uuid": "c2ad0fef-a8fd-4c2c-9dc0-45d877fbe055", + "uuid": "0a4e4407-e91b-4395-8b68-4666dfc6d081", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7c1ea48c-6227-41f9-8bb3-0acd0f2875e7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d3c27e7b-bd44-49a1-89bb-483d5d6e10a0", "description": "Add control implementation description here for item pe-14_smt.b" } ] @@ -3403,16 +3403,16 @@ ] }, { - "uuid": "afae845a-0b87-419d-ab83-c83fe40d7fa4", + "uuid": "69b5cada-4929-4c1a-b876-364198d3ea97", "control-id": "pe-15", "statements": [ { "statement-id": "pe-15_smt", - "uuid": "28699095-3798-45eb-aa39-9a5f5ff53743", + "uuid": "5367f683-6898-4749-8303-3044a5322b31", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "488d5b77-f0cf-4887-ac44-be94a9c231a7", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b2e89d64-5e3e-41d5-841f-4e6259d119b3", "description": "Add control implementation description here for control pe-15" } ] @@ -3420,27 +3420,27 @@ ] }, { - "uuid": "898879bf-fd6c-452d-a2c7-2db50331086b", + "uuid": "835ca8d7-68c4-45f3-929d-14a08a8cb3ca", "control-id": "pe-16", "statements": [ { "statement-id": "pe-16_smt.a", - "uuid": "8d5c2804-9cf4-4207-86cd-a3a6ea211ec6", + "uuid": "c643ab39-49d0-4fbb-af92-4c0e467284e3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e5afae44-f390-43fc-a738-166107cbfc61", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3922a795-8cdf-409f-8f4e-aa4fe960750d", "description": "Add control implementation description here for item pe-16_smt.a" } ] }, { "statement-id": "pe-16_smt.b", - "uuid": "04165a54-9e03-413e-8a55-8121a0c4a0c8", + "uuid": "ee91e53b-c567-46e3-b0ae-a6f94686c4ea", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a0904149-7605-4574-9016-a92bc5198096", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "496e9156-bab8-45b5-b91f-288b1730f427", "description": "Add control implementation description here for item pe-16_smt.b" } ] @@ -3448,38 +3448,38 @@ ] }, { - "uuid": "b7218208-0d95-4a2b-90e4-9ad17f75c8b4", + "uuid": "1f37a0e2-abab-4113-9c3a-82581d0c1c60", "control-id": "pl-1", "statements": [ { "statement-id": "pl-1_smt.a", - "uuid": "676d8843-0059-4f76-9973-bb88df4ba4a8", + "uuid": "3fc0496a-8cbe-42af-94fa-b869464f9b4b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0be439b2-3c43-4500-bbc8-51d701926419", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4eef9af6-4397-4856-ab65-9065041e8c03", "description": "Add control implementation description here for item pl-1_smt.a" } ] }, { "statement-id": "pl-1_smt.b", - "uuid": "c8235c75-c986-45a1-a27c-04b05a214076", + "uuid": "31590b49-8792-43fa-ae4e-d7a68cd101ac", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4217f169-2a08-431a-a548-e5ee70f27a30", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cb292fb6-2d72-42cf-a8d4-0cc37b005e7d", "description": "Add control implementation description here for item pl-1_smt.b" } ] }, { "statement-id": "pl-1_smt.c", - "uuid": "07f68fdf-2395-4692-9d4c-6c26abc293bc", + "uuid": "a786bb85-78ec-49de-8cd0-7fb08e5d5923", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "67ea80fe-7968-4683-a4b0-d4b48c3fa7f6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "881b94bd-feba-491b-9be8-943228ca04f6", "description": "Add control implementation description here for item pl-1_smt.c" } ] @@ -3487,60 +3487,60 @@ ] }, { - "uuid": "5b3b5ce9-de47-4a1a-87de-d9e33a955922", + "uuid": "4a68f80e-7853-4985-9f01-9e269a85bb5a", "control-id": "pl-2", "statements": [ { "statement-id": "pl-2_smt.a", - "uuid": "0712164a-6b17-4441-920f-85e17b08c21f", + "uuid": "9e58f26e-f8cd-4cf8-aa95-3cb250365369", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "95dbc604-4fd5-47d0-aaef-4fe9e1131a08", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b1cb4d92-1023-426d-86b1-d1eb6df2c573", "description": "Add control implementation description here for item pl-2_smt.a" } ] }, { "statement-id": "pl-2_smt.b", - "uuid": "18074902-793d-4c10-90c8-056ae6db2d0a", + "uuid": "df8adfef-5a26-4c02-abd5-7af8f828dcbc", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "af33f2c5-5e0d-46b3-900e-edc7a5e5af98", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8e3ae927-9b19-4397-915b-9fd4e888cb65", "description": "Add control implementation description here for item pl-2_smt.b" } ] }, { "statement-id": "pl-2_smt.c", - "uuid": "1617d514-1da5-4e89-b625-fce9510aa26e", + "uuid": "7aafe5a1-e942-4ca4-b8c8-9325cfb98098", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "39fce2ee-6345-403a-9117-848517bacfb1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b79f2438-8485-4840-b893-a340677e6e26", "description": "Add control implementation description here for item pl-2_smt.c" } ] }, { "statement-id": "pl-2_smt.d", - "uuid": "008efc1d-1dbc-4f4e-b8ba-923ecf38890c", + "uuid": "87b2b1ee-99ff-480c-821a-7f3cea5fa9bd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d0859dec-13b6-45ce-8194-0afb2bb84c60", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cac31818-5443-4700-b700-02dea4de8a45", "description": "Add control implementation description here for item pl-2_smt.d" } ] }, { "statement-id": "pl-2_smt.e", - "uuid": "8737b722-e442-4395-9bdf-9d89328dd336", + "uuid": "8bf73f8b-45b8-4e97-a17d-335fd0cd9548", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "34b9966d-17fb-4a7a-9bc4-88ed75c06007", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d0b0111d-6daf-4c53-89a6-a0ecd5230254", "description": "Add control implementation description here for item pl-2_smt.e" } ] @@ -3548,49 +3548,49 @@ ] }, { - "uuid": "5c31d648-f0de-44ee-9c8e-f2e0d3f17d95", + "uuid": "9cc795e5-db88-4c75-bf33-506f62b3e38a", "control-id": "pl-4", "statements": [ { "statement-id": "pl-4_smt.a", - "uuid": "1d741163-2ecf-478e-bfd2-70c10660ee7b", + "uuid": "6a4792cd-c009-4ace-94d6-e9e3ecbcef9e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e88d1d4d-972e-4056-b5b1-6151fec65dfb", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f98934c2-6d41-459f-8fdd-cae850830078", "description": "Add control implementation description here for item pl-4_smt.a" } ] }, { "statement-id": "pl-4_smt.b", - "uuid": "bd756d6b-f211-4803-a77e-54118e61d554", + "uuid": "4fc5cbf7-906a-4cb7-be55-9d2f1adda063", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "077323f3-fd84-442c-8b22-4ce8b0865820", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5fae956b-5b3e-4113-bdef-b623caa60e89", "description": "Add control implementation description here for item pl-4_smt.b" } ] }, { "statement-id": "pl-4_smt.c", - "uuid": "3b7d90a3-ee87-4981-9248-43dc484e2044", + "uuid": "b2f1269d-bec4-4f90-a7ce-c366fe52c5ce", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dcab4149-b99e-40d2-be90-3e6a18e101fd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4a3ebe6a-18f2-4b5e-97f2-a6e7516eacf2", "description": "Add control implementation description here for item pl-4_smt.c" } ] }, { "statement-id": "pl-4_smt.d", - "uuid": "eafe11be-41ae-405b-b40c-67afb1f449d3", + "uuid": "3b2c6f3a-c5c0-4de2-b18d-021e3e18a4c6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d0ff3c40-a4b5-43fa-bc1d-127e3edf96b6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6d9dad09-12d4-4caf-a7f5-f97e2704b61d", "description": "Add control implementation description here for item pl-4_smt.d" } ] @@ -3598,38 +3598,38 @@ ] }, { - "uuid": "ba1b7f05-25b2-4941-bd0b-d8c5fd884e29", + "uuid": "75480c8e-a31c-4cb6-9114-1397e5e3305c", "control-id": "pl-4.1", "statements": [ { "statement-id": "pl-4.1_smt.a", - "uuid": "1a95424b-2836-4926-a186-26364eae68eb", + "uuid": "b0fc1ea1-2046-46b7-852a-ab9a7da4cdf5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dacefb28-9f08-4313-8d8a-47f568cf65c6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9cc13f75-637b-437e-bee8-498139799619", "description": "Add control implementation description here for item pl-4.1_smt.a" } ] }, { "statement-id": "pl-4.1_smt.b", - "uuid": "2cace79c-042c-4ffc-93e4-d72cf704b3b1", + "uuid": "3fe500e1-4f54-4e1c-bb77-796b56048d16", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "83917360-9ed7-447a-9c27-8d67e4bd45aa", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "51c19f62-6e35-4e80-b164-b29b84f3c36d", "description": "Add control implementation description here for item pl-4.1_smt.b" } ] }, { "statement-id": "pl-4.1_smt.c", - "uuid": "fa2d5fd0-06b0-494a-9e0e-25f5cde85e2c", + "uuid": "98ca0221-07e6-4251-a154-344d9d942dd2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a29ee874-c6b3-457f-9924-28bd7b724d33", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "013ee6cc-62a2-479a-af0e-50a53ba2576a", "description": "Add control implementation description here for item pl-4.1_smt.c" } ] @@ -3637,16 +3637,16 @@ ] }, { - "uuid": "d2a47f61-79d9-4383-bdec-0d1a4f346838", + "uuid": "a52dde65-ed88-4957-b853-855c1be23b89", "control-id": "pl-10", "statements": [ { "statement-id": "pl-10_smt", - "uuid": "c3be76b2-9d88-416a-9ba1-c9a5c8a8e10f", + "uuid": "97196c2d-336f-4245-9bff-38817a520e88", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c81aee8f-2609-4919-b53c-1aab12dc6c1e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c3599470-6728-4d6f-884d-a1c62b8687c4", "description": "Add control implementation description here for control pl-10" } ] @@ -3654,16 +3654,16 @@ ] }, { - "uuid": "64715dd8-9dcd-4db0-89db-4c01cbc73c80", + "uuid": "a085a544-7e36-4cf8-b5d6-8a3c0a2b3458", "control-id": "pl-11", "statements": [ { "statement-id": "pl-11_smt", - "uuid": "f24a2226-28a1-4eab-9206-ce5e8940861e", + "uuid": "d7cdebe5-71fa-4051-8bd5-64c1b93bcb96", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fe94a65e-2f7b-41b8-a439-8c1f7d9a1b97", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9fb313b2-ca1a-4df5-b8b5-67ca87f85606", "description": "Add control implementation description here for control pl-11" } ] @@ -3671,38 +3671,38 @@ ] }, { - "uuid": "6f49c613-203a-4112-a538-ffd6af19ef24", + "uuid": "ac74e7b9-5a32-4eaf-a6c3-783e8dbc110f", "control-id": "ps-1", "statements": [ { "statement-id": "ps-1_smt.a", - "uuid": "48799abf-c948-4e21-9d94-2ad555be082a", + "uuid": "c081d397-1081-4968-a3db-989da786181b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "799b84c6-4288-4238-9727-c09fa1005d1a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "526e19c3-40e6-4c2a-adec-79c4c0de5555", "description": "Add control implementation description here for item ps-1_smt.a" } ] }, { "statement-id": "ps-1_smt.b", - "uuid": "570cb6e5-9b55-4329-9dcc-de66efdbfd06", + "uuid": "660ba12a-2d30-4f46-bf69-7fb7b3d00b1a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "87b6f4c5-80f8-4234-9796-f885b88af083", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "10457985-654d-42c7-b0cd-31d4d96d0286", "description": "Add control implementation description here for item ps-1_smt.b" } ] }, { "statement-id": "ps-1_smt.c", - "uuid": "c3bd486b-3f33-4625-9cd3-ce8f45698d28", + "uuid": "e609f999-d46e-4c32-90d6-383cb83c7c60", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3aaa0dad-28cb-4fa2-b5f2-95b988382384", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "69064f7c-fb87-42aa-abf2-9a1751d00914", "description": "Add control implementation description here for item ps-1_smt.c" } ] @@ -3710,38 +3710,38 @@ ] }, { - "uuid": "aec40da8-1066-4a67-ab82-cfc554cb5d18", + "uuid": "3016270e-348c-482d-8b12-035951500aaa", "control-id": "ps-2", "statements": [ { "statement-id": "ps-2_smt.a", - "uuid": "f09693d7-deae-4f23-bbfe-7681dbe56fe2", + "uuid": "ae3aaecf-ffd6-4212-ba11-70ec15a06894", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0cc4e9c0-aa17-462a-b7f0-05bc71e10d93", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f84b5767-bcfb-4d43-bbcd-a2d74f86d36c", "description": "Add control implementation description here for item ps-2_smt.a" } ] }, { "statement-id": "ps-2_smt.b", - "uuid": "51319c79-bc23-4a67-b371-4e3a24ffb63f", + "uuid": "3694e7b0-d0fd-4155-825b-f9520c57c1b5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "35be4b06-5ba4-482b-b761-08dd5b5b5f5e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "828edebe-5f74-494a-b94c-74b56d1fd195", "description": "Add control implementation description here for item ps-2_smt.b" } ] }, { "statement-id": "ps-2_smt.c", - "uuid": "f131e2c1-4c55-40a1-9c78-350158e70fd9", + "uuid": "9e68e953-f152-4997-9325-ed63256c9a19", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "42daa76c-bc10-435c-99b2-edc672b589cb", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e8b3d543-c420-4465-bbe7-198eab3f84fd", "description": "Add control implementation description here for item ps-2_smt.c" } ] @@ -3749,27 +3749,27 @@ ] }, { - "uuid": "de182d4e-c59a-4395-83f9-1ae7ad6e7f47", + "uuid": "1eaff884-88af-457b-b74e-4d3008f1e914", "control-id": "ps-3", "statements": [ { "statement-id": "ps-3_smt.a", - "uuid": "0d6a06fd-8360-4129-ad9e-6d4e4b8d5427", + "uuid": "24601b30-9f74-4a22-9b04-c54a5daa29ed", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3bd901f7-08aa-42c8-9ed2-d545da11fe9c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0a249071-4539-49eb-a7c4-817fce80b2a1", "description": "Add control implementation description here for item ps-3_smt.a" } ] }, { "statement-id": "ps-3_smt.b", - "uuid": "d9d8be84-bcab-4680-bc0a-418de2c5ead7", + "uuid": "07a150d8-e8d7-4719-85f9-96cbbef14370", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d4d71440-d86c-4e48-8606-1d8c7a62a9ad", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d758915c-65f7-446b-8f48-2682ec4d137b", "description": "Add control implementation description here for item ps-3_smt.b" } ] @@ -3777,60 +3777,60 @@ ] }, { - "uuid": "c864944b-725b-49ce-9572-0ef7b3892576", + "uuid": "ceca4b4b-6a87-4c9d-b09d-8c399e137998", "control-id": "ps-4", "statements": [ { "statement-id": "ps-4_smt.a", - "uuid": "9d6f3da1-42a7-4ef8-9772-3c40be9abad8", + "uuid": "e198fcff-6b02-48b4-bb99-18cea4cc3269", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cdce570a-5a27-4d4b-a8f0-7d31a3f241ad", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d1b8f81e-2b78-4905-9a9b-23708ffad393", "description": "Add control implementation description here for item ps-4_smt.a" } ] }, { "statement-id": "ps-4_smt.b", - "uuid": "1d9e15e7-7411-4607-b1f0-a908f9605f72", + "uuid": "42628f84-1b16-46a7-b0c0-975d531da971", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8fe497c3-3d30-45c2-ac42-502b5e5bd66c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a66ea27f-71a0-4a42-8f25-5e800278f082", "description": "Add control implementation description here for item ps-4_smt.b" } ] }, { "statement-id": "ps-4_smt.c", - "uuid": "3d6326af-d35b-41e2-a547-153e49a33d39", + "uuid": "7a14d6f9-043e-4d48-be0b-07f888fa0754", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fe815c00-8637-491b-8733-9abda8faa52d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6784ceb5-75b5-4996-84fc-b96e2bd397a8", "description": "Add control implementation description here for item ps-4_smt.c" } ] }, { "statement-id": "ps-4_smt.d", - "uuid": "f1165a50-c36f-447b-a24c-686e0a2d1fe3", + "uuid": "2c82626d-e06f-49a7-9119-fa5b86db382e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e69d2c4c-1fe3-44d7-b6d3-baf616dc56b0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "be57271f-30ed-40f8-a244-88d80b2f524d", "description": "Add control implementation description here for item ps-4_smt.d" } ] }, { "statement-id": "ps-4_smt.e", - "uuid": "5c6a0708-1523-4885-a012-1145400dca03", + "uuid": "88074892-87ec-4b6c-86a6-e2442603187a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4d2946fc-c9fe-4c27-8a37-bc78d7f069b0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6cc7c16b-06d6-420c-b08d-82bb32611ecc", "description": "Add control implementation description here for item ps-4_smt.e" } ] @@ -3838,49 +3838,49 @@ ] }, { - "uuid": "3c08c956-b2f9-459d-9a4b-43daaae858f0", + "uuid": "4d8862e8-ddde-4deb-a069-7bbec2a113a2", "control-id": "ps-5", "statements": [ { "statement-id": "ps-5_smt.a", - "uuid": "55416fad-aee6-4555-8bae-93b3c56103b9", + "uuid": "0411d4e3-5845-4402-8f6c-d12000cb9bfa", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1c8252bf-ab3e-429b-93c5-bec9ee339daf", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "635b912e-59e5-49bf-a6f6-ac5f2a89ba34", "description": "Add control implementation description here for item ps-5_smt.a" } ] }, { "statement-id": "ps-5_smt.b", - "uuid": "838c7831-f803-41c9-8996-edb4817faa94", + "uuid": "0bbeab02-3115-4975-ad20-ffeb3177cfa4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "02e342a4-c486-465f-ace9-e10c14b45398", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9baa9d2f-e286-4285-afde-03cca071ebee", "description": "Add control implementation description here for item ps-5_smt.b" } ] }, { "statement-id": "ps-5_smt.c", - "uuid": "6496173c-c009-48c0-9c26-4ba37aa1c224", + "uuid": "2e240a59-ed02-486e-808b-8b065a168e36", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "da946fba-c6a8-4812-8511-c2e8b585950d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5ac1cfb9-2013-4f29-b10b-1d60ca78333f", "description": "Add control implementation description here for item ps-5_smt.c" } ] }, { "statement-id": "ps-5_smt.d", - "uuid": "da98854e-4840-4634-b342-a81b112e3943", + "uuid": "b2f500ed-5e13-425a-aabb-92b8a73c064c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "03912029-634b-4d27-87e6-bd8bae345784", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3003572a-c650-48f2-a755-0ce4cfabfab7", "description": "Add control implementation description here for item ps-5_smt.d" } ] @@ -3888,38 +3888,38 @@ ] }, { - "uuid": "6ec4e941-fdcd-4b29-96fb-e48c69d770f2", + "uuid": "1205d210-66e6-4115-974c-178d71b792ba", "control-id": "ps-6", "statements": [ { "statement-id": "ps-6_smt.a", - "uuid": "9dda943e-f4fb-4b83-940e-ac541b3e391a", + "uuid": "d79a66a9-5577-4437-8eb1-90b307a9f302", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "907d4b4f-ecc8-4c2d-b693-73acd34d05d2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4acfc13d-dd20-481d-a6a9-31c18b6047ea", "description": "Add control implementation description here for item ps-6_smt.a" } ] }, { "statement-id": "ps-6_smt.b", - "uuid": "39d4cd70-3704-4da0-82a7-4ee628438dc2", + "uuid": "d9fce1bf-38e7-455c-86f2-88ee5ad8d535", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "67a57dce-e755-49d0-8158-331014729218", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "62d1c3bc-8543-4a86-9c55-1af76aefbec7", "description": "Add control implementation description here for item ps-6_smt.b" } ] }, { "statement-id": "ps-6_smt.c", - "uuid": "208083eb-681a-4810-9a76-b5153f55de90", + "uuid": "e4430e42-e5c4-4053-bc68-036668247aa3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f8c187ff-685b-400b-9e96-3ca0bfae237a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "eb68812a-a1bc-44b9-af2d-a63938f76a8d", "description": "Add control implementation description here for item ps-6_smt.c" } ] @@ -3927,60 +3927,60 @@ ] }, { - "uuid": "89730a9f-4511-4325-a6ac-afb43e4199f7", + "uuid": "c73ff774-5e7e-4b8c-baf5-b6819aa17266", "control-id": "ps-7", "statements": [ { "statement-id": "ps-7_smt.a", - "uuid": "9ff1203b-1590-4145-b07a-2630d01a8595", + "uuid": "59a34781-c7aa-4784-b9af-2524dad15da0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ed94d385-23ec-4201-9487-ce71cffb9cea", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d56804c9-8907-433c-b4bb-945df9f8daf4", "description": "Add control implementation description here for item ps-7_smt.a" } ] }, { "statement-id": "ps-7_smt.b", - "uuid": "86c3beba-ffa4-4cd9-88fe-e4f168e5c251", + "uuid": "30204459-0fc5-4745-a6bd-641988d945d6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4d9b3a70-d27b-460e-9c23-51855af4f38a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d9359edd-5c93-440f-a68b-c543a9ca7b4e", "description": "Add control implementation description here for item ps-7_smt.b" } ] }, { "statement-id": "ps-7_smt.c", - "uuid": "965e2703-6082-4eb7-b172-b899673a2d0d", + "uuid": "54d20898-48c0-4242-9011-47413b2f9da5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6b995440-40a8-4afb-b1b9-b4899ad308fb", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5c0099c2-ce73-42ea-91b1-9086bf78f7a2", "description": "Add control implementation description here for item ps-7_smt.c" } ] }, { "statement-id": "ps-7_smt.d", - "uuid": "54f4d00e-1827-4a83-b636-4ba5130e82f1", + "uuid": "c1b3eb8e-8942-42ac-a587-4171aa6a8b7b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "391ddeed-efcf-4454-96f1-cca928b2583a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f755a908-53d2-4acd-bdf6-14ec04518a88", "description": "Add control implementation description here for item ps-7_smt.d" } ] }, { "statement-id": "ps-7_smt.e", - "uuid": "f6f0f754-9730-4138-9bfc-8325349fbde1", + "uuid": "a05bcb0a-3c80-43b8-b3bd-c65db0f63556", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bb617752-b095-4420-81ad-aed62945b0c9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fc8869e6-e33e-4708-b3bf-c6aca973de0e", "description": "Add control implementation description here for item ps-7_smt.e" } ] @@ -3988,27 +3988,27 @@ ] }, { - "uuid": "0b425cd6-0a3c-4bc6-8ac8-7aeb649f45b1", + "uuid": "83053b87-4836-4d2f-966e-58f74914b2bb", "control-id": "ps-8", "statements": [ { "statement-id": "ps-8_smt.a", - "uuid": "6852a104-3981-41af-9cf0-79641bca8354", + "uuid": "74576ad1-b1bf-48aa-a0f7-f492110e5679", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b58d9c01-8a55-4100-9fab-edf51bef85ba", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "47932959-ca81-4091-9cd4-e1956dc1600c", "description": "Add control implementation description here for item ps-8_smt.a" } ] }, { "statement-id": "ps-8_smt.b", - "uuid": "2635fab8-c873-46c0-9bc2-14c6bd26a56d", + "uuid": "7fbf90c3-cd8a-4a8f-94c2-c47eae5307a0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fd2e1fb6-850f-4d8b-8bc8-f91c2938b9dd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6b97b43c-9307-45b3-835c-8775565d84cf", "description": "Add control implementation description here for item ps-8_smt.b" } ] @@ -4016,16 +4016,16 @@ ] }, { - "uuid": "dcbaff20-59ca-4c18-b810-cc39456b0365", + "uuid": "d2c8eac5-ba81-42cb-bccd-b2628024c16f", "control-id": "ps-9", "statements": [ { "statement-id": "ps-9_smt", - "uuid": "86c55f5b-65f7-4d46-96ee-79d26f6cfdc6", + "uuid": "91bd1261-ddc9-482f-8d40-99e97aeb18d9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5cd8c60f-cb8d-4d52-9006-59eec1a133b8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9b7494f8-d704-4d2b-8295-fdf139537df9", "description": "Add control implementation description here for control ps-9" } ] @@ -4033,38 +4033,38 @@ ] }, { - "uuid": "67062f9e-0fb3-4385-acfa-39bace91d383", + "uuid": "98651ad8-cf2c-4a2e-9c7e-4588ac4ffbaa", "control-id": "ra-1", "statements": [ { "statement-id": "ra-1_smt.a", - "uuid": "86e924ff-96e9-4f74-87ea-1453b5054e3a", + "uuid": "6144d9db-7c6a-4104-b111-3411cafefdf5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f616b59f-2d2a-4100-b7ad-d5a2ec7e7d02", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "63bb3858-d5ad-4791-9d22-fcf810e2f677", "description": "Add control implementation description here for item ra-1_smt.a" } ] }, { "statement-id": "ra-1_smt.b", - "uuid": "8e0b7857-ab11-44ab-9e2a-a94a8c14e1f5", + "uuid": "12a49e8d-868f-4ff8-abc5-d59533276fb7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a908430b-533c-403b-b750-efb5aed56537", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c2926c43-82c5-4488-9f7e-bd1a2b18d075", "description": "Add control implementation description here for item ra-1_smt.b" } ] }, { "statement-id": "ra-1_smt.c", - "uuid": "064d0a2c-712b-481a-8741-a9604c108b9c", + "uuid": "94ab47d9-e343-40ab-a1fd-040b88f499d1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6795013d-0668-493a-bf73-aa1ccb9aa56f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fe118adb-d7d5-4858-8dc6-208d54b79e7f", "description": "Add control implementation description here for item ra-1_smt.c" } ] @@ -4072,38 +4072,38 @@ ] }, { - "uuid": "f3bdb162-7500-4c73-a1b9-6fdfea087595", + "uuid": "d24fef41-6ef4-47f4-a873-9a4fc5908628", "control-id": "ra-2", "statements": [ { "statement-id": "ra-2_smt.a", - "uuid": "cd2ae254-a756-4381-b470-bd2a28289263", + "uuid": "6170c2f1-cbf1-4283-acf0-9982bff82418", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dd36eb25-8608-49f2-9971-8e846b4aa3a6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6ef51451-2907-46f5-9233-d4dccc6fb86b", "description": "Add control implementation description here for item ra-2_smt.a" } ] }, { "statement-id": "ra-2_smt.b", - "uuid": "14cc24da-9989-40d7-ae6f-142afe142853", + "uuid": "d734625f-97d8-4d64-995a-2b2ca6388b81", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "91a7fbcc-5bb8-4be5-8b3d-f12a35f249c9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5f42067a-e154-43d7-b47b-71ba5fabc422", "description": "Add control implementation description here for item ra-2_smt.b" } ] }, { "statement-id": "ra-2_smt.c", - "uuid": "e608f056-03e6-46eb-85a4-d71c61c6637a", + "uuid": "60c4f7c3-0229-42ad-af84-a4e35e4aa693", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "741f93b4-c427-4ae4-86b5-414bd9db9be4", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7b7b7643-8ca4-4ada-928f-cbe1ab4b0881", "description": "Add control implementation description here for item ra-2_smt.c" } ] @@ -4111,71 +4111,71 @@ ] }, { - "uuid": "413d36e0-6e77-499a-9d9a-6404ce62aa76", + "uuid": "a348af7d-5c26-468d-9576-70f37a98ce4e", "control-id": "ra-3", "statements": [ { "statement-id": "ra-3_smt.a", - "uuid": "01de1f57-a4ee-4e5d-b6d2-6e9f30fbb1c8", + "uuid": "176e23d3-35e6-4ede-9335-46937c5b7597", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "71260e3e-918b-49aa-854a-66d17f1a5baf", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7b4bd3e6-ac14-4fab-90a2-8989d9b82775", "description": "Add control implementation description here for item ra-3_smt.a" } ] }, { "statement-id": "ra-3_smt.b", - "uuid": "2aa58002-56e3-432c-a33f-91b20400e9ff", + "uuid": "0764ebf4-ec88-4976-b17f-3a07a41211d9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4fb0ef2a-b1a0-4512-be59-330c537f9d54", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "764fbd91-71b1-4cfa-90a3-110d5d728b14", "description": "Add control implementation description here for item ra-3_smt.b" } ] }, { "statement-id": "ra-3_smt.c", - "uuid": "e37e3791-969c-4bce-82bc-6ce14b49dea4", + "uuid": "0b4b900d-a38d-474d-8286-37d8332cfed2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3b0cc859-4192-43a9-894c-d5701a960df4", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8ed80e21-e41e-4321-9373-53b0783e2f66", "description": "Add control implementation description here for item ra-3_smt.c" } ] }, { "statement-id": "ra-3_smt.d", - "uuid": "04f6ee55-04e0-4bca-a5bd-bac604e6088b", + "uuid": "fd79021a-bea9-42c8-b853-2ee901e558e7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "88b99f9b-8258-4b0a-bda8-313233b81ce8", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "477f774b-0008-45e7-bce9-01e0169d5dcb", "description": "Add control implementation description here for item ra-3_smt.d" } ] }, { "statement-id": "ra-3_smt.e", - "uuid": "e49b7c33-6428-49f7-90dd-c9b4780ac6e3", + "uuid": "7575227c-7fe0-4dce-b157-9d7e9366497c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "efbb58a5-0694-40af-8644-908fc06074b9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9ff858ae-a350-46e2-a4c6-8b0c137d7010", "description": "Add control implementation description here for item ra-3_smt.e" } ] }, { "statement-id": "ra-3_smt.f", - "uuid": "799e89a8-da9b-4968-9f0e-927becbeb61b", + "uuid": "876b965e-53f5-450e-a300-53d783a6a807", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8b030b2e-3533-4fc3-b78c-3d52586d05b1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "26300b54-9712-4aac-86bb-5b7accd0b894", "description": "Add control implementation description here for item ra-3_smt.f" } ] @@ -4183,27 +4183,27 @@ ] }, { - "uuid": "35388741-1392-442f-a5b3-26b005c97a3c", + "uuid": "1d921d06-47a6-4f6e-a156-f5370cdc34f3", "control-id": "ra-3.1", "statements": [ { "statement-id": "ra-3.1_smt.a", - "uuid": "4d8b4be6-3cda-4352-bab4-b3390dc39573", + "uuid": "199ded9d-d4ca-41a4-ad0b-bfe67e1b1341", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "441fd83c-58db-420d-8fa5-742e0a555b2f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a15d95db-90bd-4727-a821-9c5b7303c209", "description": "Add control implementation description here for item ra-3.1_smt.a" } ] }, { "statement-id": "ra-3.1_smt.b", - "uuid": "77c7a9b8-c607-4cb8-bc5f-ba88bd13018a", + "uuid": "89d31005-f626-48a0-b2d5-deceefc870b1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1cef4a5f-94bf-41f4-8806-5e819ef46b43", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9524f913-e8e8-4cc2-bc62-b83da9d3b8d3", "description": "Add control implementation description here for item ra-3.1_smt.b" } ] @@ -4211,71 +4211,71 @@ ] }, { - "uuid": "104e9590-dbfc-49f2-9e43-848907663c6e", + "uuid": "63b62beb-ece3-4653-9945-07457099320c", "control-id": "ra-5", "statements": [ { "statement-id": "ra-5_smt.a", - "uuid": "fdff3d7e-7d92-49be-942c-9dab72d650a6", + "uuid": "e6c05b96-e62e-4e1d-ad24-9c84300103c3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "706abf81-8135-458d-8d8a-8d84b3d2e610", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1c37aafd-8070-4f48-a2a3-02780b9d2382", "description": "Add control implementation description here for item ra-5_smt.a" } ] }, { "statement-id": "ra-5_smt.b", - "uuid": "a65712c1-d587-4fe8-92ec-6d5accbf9c3c", + "uuid": "e8144e8b-4a87-4be8-bedc-2a317f009c07", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1b1fbbe4-9119-4341-8996-994fcbe5df08", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "69e7d89d-c6d4-494b-898d-36d0150ee619", "description": "Add control implementation description here for item ra-5_smt.b" } ] }, { "statement-id": "ra-5_smt.c", - "uuid": "8c4b2348-98b2-4f8e-ae90-a402f0c0a3a3", + "uuid": "2c35af31-b656-4059-a4f0-3c2f0d26199c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a251fcd5-350e-4c86-85e6-06f9ee6a27b3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "232a1b35-00a6-47d8-b6c3-e12307e10b9b", "description": "Add control implementation description here for item ra-5_smt.c" } ] }, { "statement-id": "ra-5_smt.d", - "uuid": "e7f17854-f85c-4372-bc13-732056071e95", + "uuid": "1db4be08-281c-41dd-930a-32572180a653", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "13125afb-9c59-42b4-bddd-7d6982f88643", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3a46dab8-c849-4880-ad58-ecc4cb5c1f86", "description": "Add control implementation description here for item ra-5_smt.d" } ] }, { "statement-id": "ra-5_smt.e", - "uuid": "6ee6b470-4d2c-4f02-87e3-9a501ee9d1d2", + "uuid": "7c6c43e2-11be-43c6-baf7-f9643f269183", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "36d00b5f-567b-4382-a124-cd522dad95dc", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "65530698-be39-47df-b67d-d246d0c769f4", "description": "Add control implementation description here for item ra-5_smt.e" } ] }, { "statement-id": "ra-5_smt.f", - "uuid": "b3bb065b-e0c5-4086-aca1-0b0447151461", + "uuid": "1a592a42-287f-4939-ae6b-a00161cb708e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b53be194-959f-4cde-86af-46926dec468a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "16a3757b-4569-4913-a387-0b787ebcff06", "description": "Add control implementation description here for item ra-5_smt.f" } ] @@ -4283,16 +4283,16 @@ ] }, { - "uuid": "38c9f3c6-96c0-4416-a2ed-d4dc21e1760d", + "uuid": "7d49693c-b313-4cdb-855a-4abf2568feb2", "control-id": "ra-5.2", "statements": [ { "statement-id": "ra-5.2_smt", - "uuid": "3b9f798c-877e-4ed4-9ab9-ce2ed3e14b5a", + "uuid": "0341b62f-6789-4aa6-ae1c-8c9b12a41e2e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8ee58b6b-a7a9-4561-9c8c-7caeabde0839", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0e65225e-188f-4e1e-80da-348d83a04a60", "description": "Add control implementation description here for control ra-5.2" } ] @@ -4300,16 +4300,16 @@ ] }, { - "uuid": "ff11be82-9b61-49de-a577-9a27afc90574", + "uuid": "2db4b44f-61cc-4601-aa8a-7aa21ad60be9", "control-id": "ra-5.11", "statements": [ { "statement-id": "ra-5.11_smt", - "uuid": "55f6864f-5864-4804-8579-ea6cb39a97bb", + "uuid": "5da2f50d-882d-4afe-8e25-0b421d3eb71a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "be5b78ca-9036-4d74-a35b-a4e6c21f1bc1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e42b435e-6102-45d6-80d4-8b1c21a680d4", "description": "Add control implementation description here for control ra-5.11" } ] @@ -4317,16 +4317,16 @@ ] }, { - "uuid": "a4dbb880-a173-4df2-a95f-61148207eca9", + "uuid": "3cd42e90-393c-470f-b3c3-49354a664b63", "control-id": "ra-7", "statements": [ { "statement-id": "ra-7_smt", - "uuid": "f58d8722-c56c-4e5a-bc4f-e89212307fdc", + "uuid": "5172e6ff-c2a4-43bc-81e3-845edb1eb934", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7aa406e2-ec55-43eb-a7ee-7e8918a16537", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f9ad337d-cb1d-4459-aa9e-835a275ed723", "description": "Add control implementation description here for control ra-7" } ] @@ -4334,38 +4334,38 @@ ] }, { - "uuid": "a30010e9-4d76-424d-97d3-b788c31f4f7e", + "uuid": "a4454060-0882-4903-84c8-a3574a161287", "control-id": "sa-1", "statements": [ { "statement-id": "sa-1_smt.a", - "uuid": "6f3b21d5-9951-4ac5-a33e-d02c78b4bcec", + "uuid": "71fe0457-af89-4e75-8c55-a88ed0723b5b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "67b92e8a-36d7-481d-9d18-e3ab7bcc854e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "329c8b97-b344-48ae-a43e-ef080998d213", "description": "Add control implementation description here for item sa-1_smt.a" } ] }, { "statement-id": "sa-1_smt.b", - "uuid": "a288d4b0-5e04-4069-a9b3-6d4174321116", + "uuid": "7df72d6a-34ea-452f-a0e1-664f83219ebd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bd7dc3f4-504d-486d-a9fd-8f781fa8d3be", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "884fa42b-4c65-41b0-bd55-718aa0766297", "description": "Add control implementation description here for item sa-1_smt.b" } ] }, { "statement-id": "sa-1_smt.c", - "uuid": "381050ed-a6ba-435f-b218-64f2ca476e20", + "uuid": "2a0a91eb-5e79-4942-b0d0-61a3395c1b1c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3700145b-65bb-476c-b89c-62b92da89d83", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c9e3244f-19a6-425f-9bc9-4e3f6e0374a7", "description": "Add control implementation description here for item sa-1_smt.c" } ] @@ -4373,38 +4373,38 @@ ] }, { - "uuid": "bfe991b5-e116-420f-ac81-106a75eeefb2", + "uuid": "e7915714-92f5-441a-9699-83b08a1c71eb", "control-id": "sa-2", "statements": [ { "statement-id": "sa-2_smt.a", - "uuid": "9f966b4d-51d6-4d4a-8908-4928dc91b49e", + "uuid": "69ec5026-54e9-4b8d-b88b-3d8a387922c6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1b6c5cb9-4b63-4908-bd99-64cb537a030d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ad7e27cf-1436-41ab-b392-1d64f8dd4690", "description": "Add control implementation description here for item sa-2_smt.a" } ] }, { "statement-id": "sa-2_smt.b", - "uuid": "6a1e27db-cb16-48a8-b049-627e6cb3687c", + "uuid": "ff9d4174-95cd-4490-902e-3cb9d7cd6a37", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7ebec817-1292-4535-8303-0863290b1c4d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a893f62d-99c4-4e13-ba40-c1c0a75c9219", "description": "Add control implementation description here for item sa-2_smt.b" } ] }, { "statement-id": "sa-2_smt.c", - "uuid": "f3fbfcc9-00f3-4ae4-8249-606609778741", + "uuid": "1170a932-0ab1-40c1-b54f-5f9de6adeeb0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "37191794-c6fe-4b47-8585-1f4c0bfa0d49", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0f7a3c0b-f7dd-427f-ba2f-ec8aeb471998", "description": "Add control implementation description here for item sa-2_smt.c" } ] @@ -4412,49 +4412,49 @@ ] }, { - "uuid": "3fd7dda2-c64e-4870-8e5a-8271074b0c52", + "uuid": "fca46e2c-9b01-49dd-b032-f99741a1dced", "control-id": "sa-3", "statements": [ { "statement-id": "sa-3_smt.a", - "uuid": "baba5809-766f-4b6b-94a7-f4fc9f2da696", + "uuid": "2bfade40-ae3e-457b-930f-94343795c63c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "48f5c2b2-0762-406c-8c55-56983ac9ecce", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0287cea4-ca2a-4cd0-ab7c-7cd40a437b7f", "description": "Add control implementation description here for item sa-3_smt.a" } ] }, { "statement-id": "sa-3_smt.b", - "uuid": "114fc3ab-262a-4f6f-8cd0-e030842106b3", + "uuid": "418623a8-6a5f-4401-870a-7de953be42ff", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dfccd8bc-fcb8-4d20-926f-6f942cbcf9e2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e1886040-cea2-40b5-8b6c-7071fd3e72b0", "description": "Add control implementation description here for item sa-3_smt.b" } ] }, { "statement-id": "sa-3_smt.c", - "uuid": "60b33a2d-2332-4a50-b265-d1ce67339a35", + "uuid": "bf6f8445-c22c-409c-862a-a0d045226fcc", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a12a7dd7-8fe3-4290-8393-4e95a83ff31d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e42dcd36-1496-400f-88d1-b1ab0173aadc", "description": "Add control implementation description here for item sa-3_smt.c" } ] }, { "statement-id": "sa-3_smt.d", - "uuid": "65998613-a488-43fe-afaa-e292cedd7ec8", + "uuid": "56800aaf-9dbd-4152-b58b-c71a5fb23b52", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "a14ffd53-894c-46a1-a9b1-ff0087d36c9c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "78dc44ab-3bcd-42bc-b6a9-37f1348a34f3", "description": "Add control implementation description here for item sa-3_smt.d" } ] @@ -4462,104 +4462,104 @@ ] }, { - "uuid": "3cfd7560-53cb-43b9-a4a8-39d5ee01dd82", + "uuid": "4812bde0-c220-4f2f-b28a-62094a5598fc", "control-id": "sa-4", "statements": [ { "statement-id": "sa-4_smt.a", - "uuid": "3f0049ff-26d3-4cec-b0bb-701074f855af", + "uuid": "a3b60568-8853-479a-b0dc-7ec1252a3a96", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3452febe-f232-4888-ac18-3330b1a5ef72", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f90cf597-ecb4-4de6-900d-c0941889c441", "description": "Add control implementation description here for item sa-4_smt.a" } ] }, { "statement-id": "sa-4_smt.b", - "uuid": "7a8cdbcf-73be-44dc-b770-e43e35c86595", + "uuid": "d1dc59db-dab7-44e0-b60a-28a48bc7ed21", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8bb9a65e-1ee5-4f57-8933-f55d12cf8bad", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f35b0592-8f62-4ef3-8d8d-e2ecf8a55953", "description": "Add control implementation description here for item sa-4_smt.b" } ] }, { "statement-id": "sa-4_smt.c", - "uuid": "88fe51c8-6319-40fa-83e9-9a3a73d25057", + "uuid": "9352eeef-ce58-4057-ae10-2270c280cd97", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e4a3c7e0-421f-4531-8b8e-341b47791b2b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "c21e8192-2228-476b-8a99-66e75f37acc9", "description": "Add control implementation description here for item sa-4_smt.c" } ] }, { "statement-id": "sa-4_smt.d", - "uuid": "a0de6adf-d0bf-43aa-8e3e-1145535b741d", + "uuid": "c97ac67b-1022-4604-ba95-470107a63a66", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "74a4747e-3465-4876-9f17-4ac8d8072b5c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "59c10cfb-4edf-461f-a69e-046ada303fe8", "description": "Add control implementation description here for item sa-4_smt.d" } ] }, { "statement-id": "sa-4_smt.e", - "uuid": "96cdfbbd-8566-4728-b0d3-87bd6551bbd9", + "uuid": "563da6ae-28d8-4c0a-885d-dbb956d56fc0", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "845fd061-6eff-4946-bc87-304c50d67ec5", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3b14f7bd-9df5-4d46-bd89-7bd12923a492", "description": "Add control implementation description here for item sa-4_smt.e" } ] }, { "statement-id": "sa-4_smt.f", - "uuid": "2f0ce8e6-fc5b-4de1-afbe-b1763c173a4d", + "uuid": "d336f7a8-8570-4301-b726-90ed53fce526", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "8accaf67-9390-49d3-9c2a-15ec63c0ca23", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e0e9c230-5263-4b1f-8484-18a6049e23f4", "description": "Add control implementation description here for item sa-4_smt.f" } ] }, { "statement-id": "sa-4_smt.g", - "uuid": "cf767557-d01a-4643-a884-f76f3b5e18b1", + "uuid": "2cbefd3f-14a5-4d8f-8da8-bbbbe9f314bf", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b81e06fc-7c86-47f3-8962-5e6d8f17dd83", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0627c175-2443-4090-9ab0-d17a7b273db7", "description": "Add control implementation description here for item sa-4_smt.g" } ] }, { "statement-id": "sa-4_smt.h", - "uuid": "30896d20-093c-48df-a70e-eecc3330fd7e", + "uuid": "3517820d-36a1-4884-a782-1cdbcc01d924", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0d03d749-3068-4ae7-8b74-9a7589954bd9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "874abd4b-ea16-4c41-b331-d6a550b410a2", "description": "Add control implementation description here for item sa-4_smt.h" } ] }, { "statement-id": "sa-4_smt.i", - "uuid": "3a3cf158-6339-4964-8ec5-2bfdbaf36aa8", + "uuid": "f0b54f3b-258a-4ae5-97fd-b645b71918a6", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ef5e81c9-1863-41b8-be7b-f6c687aa4789", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b32cbf63-412e-475c-914b-9f28ab77afb5", "description": "Add control implementation description here for item sa-4_smt.i" } ] @@ -4567,16 +4567,16 @@ ] }, { - "uuid": "012f3498-8082-4844-a2b6-07be5caa812a", + "uuid": "2328af72-d770-47eb-934c-a4ed9b85b023", "control-id": "sa-4.10", "statements": [ { "statement-id": "sa-4.10_smt", - "uuid": "983da4f0-bcf0-4861-9657-63b8c2937e3a", + "uuid": "a5c81401-a0b8-4a40-9933-cb04f985e893", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fa5a3beb-b1b3-491b-ad76-46eb2ea53f2a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d3821be7-ad95-4cb6-b39d-826e577db54b", "description": "Add control implementation description here for control sa-4.10" } ] @@ -4584,49 +4584,49 @@ ] }, { - "uuid": "233bd514-adb0-4658-b1a4-3226fa0acaae", + "uuid": "c6a4e463-7ddc-484f-a038-bbc89b263f39", "control-id": "sa-5", "statements": [ { "statement-id": "sa-5_smt.a", - "uuid": "22559970-bf41-4c1f-975e-b335044dbc24", + "uuid": "2e2aa702-91eb-46d4-a127-3655ded08742", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4ff3b86f-d7d9-4ed7-975d-6b05e0bdce09", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3e0b9966-ec07-4c2d-8c77-541d6e543c16", "description": "Add control implementation description here for item sa-5_smt.a" } ] }, { "statement-id": "sa-5_smt.b", - "uuid": "758af4cf-c202-47be-a200-e498384c8b7a", + "uuid": "af0d4f22-91e2-4cf8-a8dc-821e0d5e51dd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "763843b8-c593-48b7-bdb0-4140de5074b3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d05147a0-82cc-46d2-b7c8-b7bac3fc82b6", "description": "Add control implementation description here for item sa-5_smt.b" } ] }, { "statement-id": "sa-5_smt.c", - "uuid": "166768aa-7862-4118-b56b-a1e6e6764f9a", + "uuid": "0623cc72-e576-499f-a121-4f433f47fa22", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "85486a49-9833-4dcf-95f3-baa251eee16d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "17f08c26-cf81-4b10-90ed-25763a649dac", "description": "Add control implementation description here for item sa-5_smt.c" } ] }, { "statement-id": "sa-5_smt.d", - "uuid": "cee0d961-4756-4956-8ae9-e76dc45f2623", + "uuid": "bb073089-ab36-4bc5-a670-ea0f56cd7fb2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cf80377c-c4bd-4c38-9109-75b172c3c381", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9172182d-ea04-49af-b4e1-072e014b4af6", "description": "Add control implementation description here for item sa-5_smt.d" } ] @@ -4634,16 +4634,16 @@ ] }, { - "uuid": "f8a4ca54-8b44-42d8-af1a-9f899842880d", + "uuid": "665804fb-d8c7-4e5f-a01b-dadc992c0d8d", "control-id": "sa-8", "statements": [ { "statement-id": "sa-8_smt", - "uuid": "104280c4-ed29-4c28-af18-382016404379", + "uuid": "0b243934-92bd-40eb-8702-5dcfee7982ce", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cf196a50-6551-4797-b239-7e60cf6ad2ce", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "24742e0c-50e2-48cb-85f3-0b6dc31aab6b", "description": "Add control implementation description here for control sa-8" } ] @@ -4651,38 +4651,38 @@ ] }, { - "uuid": "9e493d7a-ce5b-4c32-916e-3c3b19a71980", + "uuid": "375448f6-f543-48f3-a073-7e201d6416ff", "control-id": "sa-9", "statements": [ { "statement-id": "sa-9_smt.a", - "uuid": "00990002-ddb4-4f2e-a7f0-e7105c21a01d", + "uuid": "b8216fc9-35eb-4ba6-b013-45822307ef5f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6178ca5b-9fdb-4819-a173-cafccf5cf919", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1d83de2c-e629-4656-8bd0-4e259a3b9cc7", "description": "Add control implementation description here for item sa-9_smt.a" } ] }, { "statement-id": "sa-9_smt.b", - "uuid": "6b20fd5b-ead3-40ff-afcd-6dce8a7e589e", + "uuid": "2d22a00d-24b8-42f4-93d4-27825af78396", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b9f04d88-cbf2-49ba-9034-5e2763e922fd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b615671e-a414-4f4d-82dd-da95e409966a", "description": "Add control implementation description here for item sa-9_smt.b" } ] }, { "statement-id": "sa-9_smt.c", - "uuid": "f136cd32-ec2e-49ef-b376-ea9b5b2defff", + "uuid": "f8deb4e7-02c1-495a-b3f1-d586d0969695", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ee9e6577-ec64-45ed-b2a1-b7ce8509e2f9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "bed39412-07c3-46a4-9e1a-f950b4aa8558", "description": "Add control implementation description here for item sa-9_smt.c" } ] @@ -4690,27 +4690,27 @@ ] }, { - "uuid": "00515c06-7763-4a5b-a94d-3888fd0456f2", + "uuid": "793a9bfe-5e32-4282-9913-f8df7c76385c", "control-id": "sa-22", "statements": [ { "statement-id": "sa-22_smt.a", - "uuid": "7d43048f-f81c-4bfc-a8a8-551137483e70", + "uuid": "672da517-2d90-42fc-b3c7-03f118087d26", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e711a62e-2968-446b-9e34-854f4a454558", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "868c01f8-0cdd-4d78-8d8c-3488b2e6bd66", "description": "Add control implementation description here for item sa-22_smt.a" } ] }, { "statement-id": "sa-22_smt.b", - "uuid": "219f8231-a528-426d-891f-a1d034411fe9", + "uuid": "26878778-c513-4e7a-b0a9-4b84afb47586", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c186d37e-5fea-4dfc-a93d-5fb402b4bfe6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fe00468b-84cf-4bc8-aae5-fb53af9358cb", "description": "Add control implementation description here for item sa-22_smt.b" } ] @@ -4718,38 +4718,38 @@ ] }, { - "uuid": "1baf505c-23d3-4b63-b1b7-46c430c22b57", + "uuid": "1f665f35-107a-4a77-950d-d7fe6d7a5a23", "control-id": "sc-1", "statements": [ { "statement-id": "sc-1_smt.a", - "uuid": "f25682d5-64be-4938-a4e3-f2c1697cb119", + "uuid": "37d4314c-63d4-4e47-bda4-f5df330348b1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "97e9c324-509f-4e33-a124-6a02cd4f43b0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b6158eb4-14d5-4344-8842-e918b6c1e4f4", "description": "Add control implementation description here for item sc-1_smt.a" } ] }, { "statement-id": "sc-1_smt.b", - "uuid": "d2e6f691-64da-4369-9b5f-4da32816214e", + "uuid": "79207ae2-be40-49d6-89c5-4c3b9f9af648", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "aa56dff2-1c4f-4936-a8f8-01bd761cc5a2", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "05cfb0f9-65a8-4580-b9e6-1c53d18c1868", "description": "Add control implementation description here for item sc-1_smt.b" } ] }, { "statement-id": "sc-1_smt.c", - "uuid": "4858315d-a673-4939-b173-82cfd4695d1c", + "uuid": "ca845b76-9bc2-4fa4-a030-58ecf6f307dc", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6a716da8-817a-4291-989c-d37c183263ba", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "aeffe1fb-b7b7-48bb-97e5-33b4d542b761", "description": "Add control implementation description here for item sc-1_smt.c" } ] @@ -4757,27 +4757,27 @@ ] }, { - "uuid": "c5dc593d-2d82-4f05-8ef9-8840b24cfc29", + "uuid": "90eab343-14c3-4fcb-93e1-a8cb49dd14a0", "control-id": "sc-5", "statements": [ { "statement-id": "sc-5_smt.a", - "uuid": "ac473800-9d33-4b38-9ade-21bc977422f7", + "uuid": "85311cb8-af70-4349-9efa-b2660f4f45ae", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ef58fddc-738b-4514-a412-9c50a8a68f11", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9b04e0d5-b0ba-4649-a3ca-3e301e8aa852", "description": "Add control implementation description here for item sc-5_smt.a" } ] }, { "statement-id": "sc-5_smt.b", - "uuid": "4a03b896-9325-41a2-bf3a-9090759b38ee", + "uuid": "81a0958c-b63b-4769-95e2-da276af7b4c5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "51e0590f-da8e-497f-97e3-a3576b95f464", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "1d55a017-c728-4d11-808b-03f88eeb54da", "description": "Add control implementation description here for item sc-5_smt.b" } ] @@ -4785,38 +4785,38 @@ ] }, { - "uuid": "8aec6d25-6bb9-446b-b5ad-5af87ade3de0", + "uuid": "a5c48ada-8e54-4605-82e9-37ad832fadc4", "control-id": "sc-7", "statements": [ { "statement-id": "sc-7_smt.a", - "uuid": "564186a1-f414-4636-9e97-b2019e853806", + "uuid": "1c2bc5eb-ccab-42dc-a793-e76d767bb60e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "906944f9-ed61-47d8-8130-e7a8723db84f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0a70b064-2bf0-450e-848d-63068d5c467c", "description": "Add control implementation description here for item sc-7_smt.a" } ] }, { "statement-id": "sc-7_smt.b", - "uuid": "e0c65915-d80a-491d-b63a-b638db5df9ec", + "uuid": "c2333dee-c322-4917-a39f-67782b306dd8", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "323ad026-4fc5-42ae-9322-888691b94abd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "af3f98be-0462-4322-b6ba-7d8e66737342", "description": "Add control implementation description here for item sc-7_smt.b" } ] }, { "statement-id": "sc-7_smt.c", - "uuid": "8e6b74e0-101e-4823-9408-1f2d737c1de1", + "uuid": "d16625f8-f769-4c06-b522-8b6e241aacc3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bbc68ffb-e988-4d94-aeb7-74f57bfe766e", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9c6be2d4-9f06-4dd3-8c52-94bd7fc11895", "description": "Add control implementation description here for item sc-7_smt.c" } ] @@ -4824,16 +4824,16 @@ ] }, { - "uuid": "74bde879-ae9e-427a-a210-727928c7e1ce", + "uuid": "3c4ab2aa-9ac5-4d36-ac11-52ac3b90b8d1", "control-id": "sc-12", "statements": [ { "statement-id": "sc-12_smt", - "uuid": "a58c46f3-2992-439f-862d-4e7466cd2e7e", + "uuid": "9f0ecb6e-8df0-43ff-b842-9a7f660ec6d5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "daec9f79-020b-4638-b338-10d7a80c6723", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "dc8b709a-4da4-4aa0-9ea4-9f414516ef6c", "description": "Add control implementation description here for control sc-12" } ] @@ -4841,27 +4841,27 @@ ] }, { - "uuid": "00f0588a-9d85-4eaf-bdfa-f0ec9b348de9", + "uuid": "5332ece5-8871-4586-9403-89e5044aeb4e", "control-id": "sc-13", "statements": [ { "statement-id": "sc-13_smt.a", - "uuid": "44353f9f-b2b4-40b7-bfc7-b274658c0ca8", + "uuid": "3b993980-d776-43c8-892a-150826d10979", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "48223379-d897-455f-a6f6-bf4303512dc1", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5bae1b31-9f50-477c-bc7b-56d5f2acd660", "description": "Add control implementation description here for item sc-13_smt.a" } ] }, { "statement-id": "sc-13_smt.b", - "uuid": "e7246a0d-9d03-4757-9564-7c3aa1488254", + "uuid": "40835f6b-a76a-4a9c-bf77-ca1bbe169b0a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d29ac847-74de-4b3b-8765-89583af378a9", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "5986a385-dfe0-46c3-9d08-46fe863e11a7", "description": "Add control implementation description here for item sc-13_smt.b" } ] @@ -4869,27 +4869,27 @@ ] }, { - "uuid": "7c35f77e-051c-49c7-a449-faccbdd9cfc9", + "uuid": "c56d658e-b70d-411a-bfe1-20beee61e96a", "control-id": "sc-15", "statements": [ { "statement-id": "sc-15_smt.a", - "uuid": "5d63e2d2-2de1-4d9f-864e-aae22b4cca70", + "uuid": "b5adf62a-0fe2-4e4d-a835-5bcd887c8786", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5835feca-b238-4858-9959-03efdc4c18fd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ddddd121-8384-49dd-9364-5a43627981b4", "description": "Add control implementation description here for item sc-15_smt.a" } ] }, { "statement-id": "sc-15_smt.b", - "uuid": "33d9b0f2-6b5a-4df3-b0e4-95f14395f708", + "uuid": "16cd76cd-6da2-41df-9009-d458bc36e7e1", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "9e351966-01a4-41e2-83f0-fde26ce7d784", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a57f7bd4-0621-48f3-b723-6af17516d9a4", "description": "Add control implementation description here for item sc-15_smt.b" } ] @@ -4897,27 +4897,27 @@ ] }, { - "uuid": "6afc7c72-cf14-4a7d-b024-b713b060f742", + "uuid": "c672b230-7187-4356-94bb-0826316342fc", "control-id": "sc-20", "statements": [ { "statement-id": "sc-20_smt.a", - "uuid": "5e4c8d8d-d656-4191-acdc-f9b8a9075e16", + "uuid": "3f0bbed8-7989-443e-be9b-887ed0a7235d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "85099119-4d76-4cd4-9834-1f670dca1ea4", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ab8bad88-bee9-429f-bbe1-913583c0743c", "description": "Add control implementation description here for item sc-20_smt.a" } ] }, { "statement-id": "sc-20_smt.b", - "uuid": "ad525bb9-e114-4141-b97e-91953fd89675", + "uuid": "c3aa98b8-9d9c-4adf-b256-f50aff81c521", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "25e77e11-0e3d-412b-80ed-7bcb58ea9fd0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "9b0c8826-0016-4030-836f-a842b7f16f26", "description": "Add control implementation description here for item sc-20_smt.b" } ] @@ -4925,16 +4925,16 @@ ] }, { - "uuid": "6345db2c-ed3f-4987-a619-892b3e0cf759", + "uuid": "52c6120f-d6f3-4e77-ac21-349f670b569b", "control-id": "sc-21", "statements": [ { "statement-id": "sc-21_smt", - "uuid": "4315b1fe-d8fc-4f54-8f6c-6727788941bf", + "uuid": "d24d6b8e-cb78-43f5-ad43-4f63ee4f6942", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1293c784-d1fb-4aa1-8900-d80905c27295", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "51e23a50-1915-49df-9155-94657ef0a203", "description": "Add control implementation description here for control sc-21" } ] @@ -4942,16 +4942,16 @@ ] }, { - "uuid": "2fa677d8-e553-4935-b5e7-21f27406c8a6", + "uuid": "2ac49600-5f8a-4b67-9538-5078ff5b06cd", "control-id": "sc-22", "statements": [ { "statement-id": "sc-22_smt", - "uuid": "70db7822-b708-4115-92d2-69ceff37aea3", + "uuid": "b53a6beb-b8a4-467b-8b9f-4891ff3e12cb", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b014c826-2085-4095-866f-e8619361964a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ad1ea5c9-84dd-4335-a5c1-7e95d8ce5d59", "description": "Add control implementation description here for control sc-22" } ] @@ -4959,16 +4959,16 @@ ] }, { - "uuid": "59ca7b8e-a50f-4469-8f43-9b7f16cacacc", + "uuid": "127902c9-9635-4f1b-afa1-0f674dccf2b5", "control-id": "sc-39", "statements": [ { "statement-id": "sc-39_smt", - "uuid": "4482b989-8232-462a-9fb3-e7cb795fb7af", + "uuid": "7f66102c-2691-40cd-a32b-224d0a69db42", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "2bdf50a4-718c-4c47-b643-aec1b29b015a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b81595dd-82c4-475f-9a7c-fa40383ac7c9", "description": "Add control implementation description here for control sc-39" } ] @@ -4976,38 +4976,38 @@ ] }, { - "uuid": "24fca182-06d8-4855-855e-7586a9717d3e", + "uuid": "9acabf6c-adc1-4c4a-8ff4-5001468b1879", "control-id": "si-1", "statements": [ { "statement-id": "si-1_smt.a", - "uuid": "3b48b172-6cef-4cf7-8e43-50c1e300ddb9", + "uuid": "bb00eeef-12e5-45ef-84ad-6689c4684998", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4a4c26a5-68bf-48ef-a09c-55ac61348423", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "fce9bfb5-dc34-4a92-aa40-fe3e86585da8", "description": "Add control implementation description here for item si-1_smt.a" } ] }, { "statement-id": "si-1_smt.b", - "uuid": "261af665-768d-46d4-b9f3-b1d5669e55d5", + "uuid": "f62a0573-6ada-4617-a586-a608bbe9f961", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "e42af704-7b31-4f00-84d7-891f41358037", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "36dc2d43-5a1a-4501-a1bf-5d49982c5e9c", "description": "Add control implementation description here for item si-1_smt.b" } ] }, { "statement-id": "si-1_smt.c", - "uuid": "bff81796-a229-4748-9f6e-bae33834dd13", + "uuid": "769c24d0-4070-4dc5-81e1-e3e1752c62cf", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5402d037-25a4-4847-bacf-c546a1c08bae", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a182990b-5e7e-45d6-8d8c-8db8da294919", "description": "Add control implementation description here for item si-1_smt.c" } ] @@ -5015,49 +5015,49 @@ ] }, { - "uuid": "1a478fb5-c230-40f8-a3d3-b12280bd6ebd", + "uuid": "f0593668-571a-403b-b91f-1e2538241afd", "control-id": "si-2", "statements": [ { "statement-id": "si-2_smt.a", - "uuid": "d7722fea-0fe7-482f-a94f-f58f4144b38e", + "uuid": "b523b7f5-bce5-4d43-a16a-28b948be67a2", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "dc3118d3-989a-4f03-9b96-b62e384fecf3", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4cb00750-bf99-491e-947c-233265371877", "description": "Add control implementation description here for item si-2_smt.a" } ] }, { "statement-id": "si-2_smt.b", - "uuid": "a51e22a1-bea4-4cf2-a8e0-0f9bbc4a5738", + "uuid": "b8893b68-3633-4d53-a0fd-257b20d4a2ca", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4227e777-3e81-4a50-90b8-428729100edd", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "8e5c9aa4-5b0d-47f0-b9a9-c17f17c3fd77", "description": "Add control implementation description here for item si-2_smt.b" } ] }, { "statement-id": "si-2_smt.c", - "uuid": "bf96eb89-c8a5-48bb-93a7-f00ecb401cdc", + "uuid": "12843fd8-01de-4ca6-b5ba-1094506d8014", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "4ac14622-22c8-495e-9a21-ef6ab8571270", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "beae5cbc-d74c-447f-98c5-ddaa71215fca", "description": "Add control implementation description here for item si-2_smt.c" } ] }, { "statement-id": "si-2_smt.d", - "uuid": "ce8aa0e4-75d5-40af-8cda-b3e0e5d4da51", + "uuid": "0443e3c8-54f5-4fbd-923e-d8c2c9cb93e3", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "3044e6ef-1b68-49c1-81c8-a0827affe487", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e3aff7d4-c8c5-4a83-91b6-387a5a0d30bb", "description": "Add control implementation description here for item si-2_smt.d" } ] @@ -5065,49 +5065,49 @@ ] }, { - "uuid": "fbaf863e-ee33-4291-b913-36b98584522f", + "uuid": "123afe08-3aa3-4088-a69a-38b47711d249", "control-id": "si-3", "statements": [ { "statement-id": "si-3_smt.a", - "uuid": "47369958-c9f2-4fc2-b651-221deb492320", + "uuid": "ed86d096-09ef-48cb-8c63-4402f9227a7b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "c0ba1bf9-d531-44f8-aa26-7e9d4cae321a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4cff1501-5ec1-4666-b6ed-e6bb8db01858", "description": "Add control implementation description here for item si-3_smt.a" } ] }, { "statement-id": "si-3_smt.b", - "uuid": "8faa96f8-e1e4-4c66-9caf-96c515cc95c1", + "uuid": "773913e0-6fea-4714-bb65-9af3fea77c45", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0cbbddb8-d3d8-493e-b7c0-19c199fafa89", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "da89e01a-c5ea-43da-9fa2-ea7fe468116d", "description": "Add control implementation description here for item si-3_smt.b" } ] }, { "statement-id": "si-3_smt.c", - "uuid": "5955b5b0-d812-422b-89b3-534c6a28f9b7", + "uuid": "698ec61d-6c25-4139-b680-fefa6cad84ca", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "bb3bd4c0-2903-4606-9fca-b8188fdd3e81", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "46e1f9b7-81ee-41a2-9bc2-dbd0b6189f4b", "description": "Add control implementation description here for item si-3_smt.c" } ] }, { "statement-id": "si-3_smt.d", - "uuid": "dd8d5cdd-cb45-48fc-90ae-38c3458cdc03", + "uuid": "9af11cb4-7999-49f9-90c5-68e9657292ae", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1ab920dd-6466-46fb-a5bc-7fde029e575c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b9e91111-f7d8-4634-ac82-c36432dff6bf", "description": "Add control implementation description here for item si-3_smt.d" } ] @@ -5115,82 +5115,82 @@ ] }, { - "uuid": "be623ed4-51af-471b-9f02-57750e9c5373", + "uuid": "20cc7715-8e2a-4b44-bc16-17631a9a0d8f", "control-id": "si-4", "statements": [ { "statement-id": "si-4_smt.a", - "uuid": "885fd567-53f0-4104-bdaf-a8987f0e8229", + "uuid": "0b01de64-0865-4761-a883-54bdd2af15a4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6f4cf6f6-3567-4965-9543-170664e7c012", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "30596269-5427-413a-87d5-e4a31d4fdc0b", "description": "Add control implementation description here for item si-4_smt.a" } ] }, { "statement-id": "si-4_smt.b", - "uuid": "55651de2-2bcb-4b65-873b-17abbf4a7430", + "uuid": "193c5ba9-90de-40ec-b425-3193bbff045f", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d1091260-e5c5-4deb-bbb8-f22e10a7dccb", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4444b64f-4a57-44f7-99c2-2167e3dee016", "description": "Add control implementation description here for item si-4_smt.b" } ] }, { "statement-id": "si-4_smt.c", - "uuid": "7c400b39-e993-47df-bf4d-5c2542be06d7", + "uuid": "44b8d28e-2c5a-4a9d-a722-729a616efdc8", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d6a80a03-7ae0-4112-8165-ab8a70fd8281", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7b350ed7-ee9b-44c5-8339-2f1e3d79005d", "description": "Add control implementation description here for item si-4_smt.c" } ] }, { "statement-id": "si-4_smt.d", - "uuid": "d824693f-8ca9-4e71-aa08-e34857555bb4", + "uuid": "1cd6dfed-74c0-4777-aab2-d66e418f8102", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1ebde027-8940-481a-ba3e-fc2b6bc1d39d", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e7adfb49-6abf-4e6b-a6ff-4829362814a6", "description": "Add control implementation description here for item si-4_smt.d" } ] }, { "statement-id": "si-4_smt.e", - "uuid": "6de5df6e-a9f7-461d-b753-4b842dd5a180", + "uuid": "f495fee9-780d-4490-999a-5cdefada1200", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f60e8871-c38a-4ada-9089-b9548d7b174a", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b7ead727-1d2d-4178-bdb8-3bc10df921cd", "description": "Add control implementation description here for item si-4_smt.e" } ] }, { "statement-id": "si-4_smt.f", - "uuid": "a10e3689-ba8b-4cfe-8467-bb938d1109da", + "uuid": "7d8b90dc-ee9a-4aad-b722-f38fe4c9af78", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5cc2c76c-9dbf-4f14-93f6-c101ab607c88", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "ca33f0d0-4858-45a2-b4d0-3ff0f245048c", "description": "Add control implementation description here for item si-4_smt.f" } ] }, { "statement-id": "si-4_smt.g", - "uuid": "df2b7e96-fe40-4fbc-8365-63482d858630", + "uuid": "d7adadd0-591d-423e-a0fd-fb7ac8b4b2ea", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ce887cb6-4811-4ffe-8b99-50661ff604c0", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0496915b-145d-43f4-be1d-4db341ad51ae", "description": "Add control implementation description here for item si-4_smt.g" } ] @@ -5198,49 +5198,49 @@ ] }, { - "uuid": "7f3def9b-4242-4b10-9249-52bcfd488088", + "uuid": "5cfbe597-56e3-4491-b412-3486a2332c69", "control-id": "si-5", "statements": [ { "statement-id": "si-5_smt.a", - "uuid": "e1607448-ea79-4250-bf29-84b6e0b62a9f", + "uuid": "aa12942c-94c2-4a66-809c-6f97bb817262", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ee376e0d-d6f8-4c0f-9bb5-ece602243870", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "cb0a8318-6532-44b2-a300-09c61274c4ab", "description": "Add control implementation description here for item si-5_smt.a" } ] }, { "statement-id": "si-5_smt.b", - "uuid": "59eab534-cd13-452b-bc46-043ffa896646", + "uuid": "ac04e1f4-3fca-4ac6-8de8-9ce4a15c0c78", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "95ca5358-0a86-4d7c-add2-351b38d25d51", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "122ccc94-b4cf-4109-818d-604a1a6ee82a", "description": "Add control implementation description here for item si-5_smt.b" } ] }, { "statement-id": "si-5_smt.c", - "uuid": "013e04d5-3b1b-4c43-87f3-ffc5a0baba90", + "uuid": "d2fd12e0-1116-4b27-8d7d-cab744f2f4ed", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "cfba51a6-135c-4d7b-b5f3-c9169215ea38", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "6f6f7fc2-2380-448a-b66e-f2f33b842486", "description": "Add control implementation description here for item si-5_smt.c" } ] }, { "statement-id": "si-5_smt.d", - "uuid": "f75e393f-0bd6-4ec8-b73b-7ed3a77e8e7a", + "uuid": "9cf926d3-73d0-429c-ae78-b9e317cb913a", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "390710ae-e20c-4b4e-b55f-7d17d60bf262", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "01373664-539b-4f6e-9be7-c37e5ea5e4a2", "description": "Add control implementation description here for item si-5_smt.d" } ] @@ -5248,16 +5248,16 @@ ] }, { - "uuid": "9f90d5b6-84f2-4125-bebe-52e2538ff421", + "uuid": "4773a69f-ca51-4a99-bd89-e843d1ca4a95", "control-id": "si-12", "statements": [ { "statement-id": "si-12_smt", - "uuid": "d0074e91-b5e0-4e5b-9d28-5dddb846f3c1", + "uuid": "48ce10ba-529f-4737-a53a-f6749ffd19c7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "f598341a-080d-4e7a-b46d-9a5ffcd1323b", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "b1ac0368-f5c0-437f-8b02-f33330f4d4a0", "description": "Add control implementation description here for control si-12" } ] @@ -5265,38 +5265,38 @@ ] }, { - "uuid": "14b38627-13bc-4139-92e8-d1cb9b2f2aa0", + "uuid": "122c4dc9-2f08-4714-8e9b-88328b203493", "control-id": "sr-1", "statements": [ { "statement-id": "sr-1_smt.a", - "uuid": "e35cc3ad-ef55-4555-8fe6-559d7503ecc0", + "uuid": "3b6c63aa-372a-4f6c-bb79-3bb43c3d34e9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0fa0676c-b8d5-40b4-96b1-e25916fb89af", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "525f598a-71a7-4b23-8449-d366106997eb", "description": "Add control implementation description here for item sr-1_smt.a" } ] }, { "statement-id": "sr-1_smt.b", - "uuid": "dbae26bd-5d86-47d5-8e04-611f03ae1e88", + "uuid": "56dfde75-4c10-4176-865c-2849e8a48970", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "1c4ee7ad-957d-486d-bbe7-27e0fc5a3988", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3987086c-3699-4e1d-95a4-01beb7f07362", "description": "Add control implementation description here for item sr-1_smt.b" } ] }, { "statement-id": "sr-1_smt.c", - "uuid": "e288a95b-3a52-446c-8978-90f088d03975", + "uuid": "fe4edcc7-8f92-4653-a1aa-72d68327176d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0f95f464-cbbb-4a27-865f-9de8f6d3f32c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "67812a86-dac5-44ca-92a0-f2a67a958899", "description": "Add control implementation description here for item sr-1_smt.c" } ] @@ -5304,38 +5304,38 @@ ] }, { - "uuid": "cd23353b-68b1-4d70-a0c4-05e98093429a", + "uuid": "26f7e4ca-99e1-4007-9e55-164e0524bf74", "control-id": "sr-2", "statements": [ { "statement-id": "sr-2_smt.a", - "uuid": "37a54720-f5d4-4588-9579-d31fc14d2ab8", + "uuid": "b74a5c58-d9f5-4b5e-ba66-d7588606f3dd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "b8dd7beb-5e55-4b8f-9c7f-7e021f79e56f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4bfd406c-c7d6-4544-8eed-c0130212443b", "description": "Add control implementation description here for item sr-2_smt.a" } ] }, { "statement-id": "sr-2_smt.b", - "uuid": "0272212f-ac6b-4e37-ac1d-40edf6cc6494", + "uuid": "d8edaef4-5ced-4a26-9b93-2ea9e531d714", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "d4fad1cd-c665-43e3-b9f4-1846c460d4fc", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "be3a9867-22dd-42f9-88c1-d2fb6580bd9c", "description": "Add control implementation description here for item sr-2_smt.b" } ] }, { "statement-id": "sr-2_smt.c", - "uuid": "c1cd5d75-9019-4e06-813e-12ef0647fb7b", + "uuid": "76e7ec51-bc61-44ab-ad92-ccb108fcf6f5", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "69a47069-facb-47fd-9e94-ef858d00e04c", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "f89684c6-4bea-460d-87f2-5bf4e11f1c7e", "description": "Add control implementation description here for item sr-2_smt.c" } ] @@ -5343,16 +5343,16 @@ ] }, { - "uuid": "245affe8-d389-4b7f-8f6e-70631797eef8", + "uuid": "81f7fc4f-6601-4ea5-9a5a-721b63fbf8b1", "control-id": "sr-2.1", "statements": [ { "statement-id": "sr-2.1_smt", - "uuid": "9118b659-e299-49c8-ae7b-3dccbe3b14d1", + "uuid": "5704c634-f241-4ee3-855b-7c929ed4991c", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ff9897b6-88bd-4a31-8709-f4b4e0199272", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "7934cca7-77df-4811-aecd-380ae31ac025", "description": "Add control implementation description here for control sr-2.1" } ] @@ -5360,38 +5360,38 @@ ] }, { - "uuid": "02329263-11c8-430b-a90a-6fea6f553f22", + "uuid": "1b13ed63-7c41-4db1-858e-3edcf6604323", "control-id": "sr-3", "statements": [ { "statement-id": "sr-3_smt.a", - "uuid": "60ae9c1a-7c26-4108-a30d-844e88366bd4", + "uuid": "91902056-c926-4149-9843-aec2ef1a4de4", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7e643e32-e154-4a15-ac3c-2b7ec43bcf27", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d0f9daa6-0d23-486d-8b5b-3874fb54617f", "description": "Add control implementation description here for item sr-3_smt.a" } ] }, { "statement-id": "sr-3_smt.b", - "uuid": "75d1f282-a944-436f-8ad4-996414728c53", + "uuid": "bcfbae7c-69fd-4609-bd61-d6a390d923cd", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "5f28b59f-8710-43c3-807f-ba59d0f46aba", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "636b762c-f3bf-4c17-b185-c5dced19026e", "description": "Add control implementation description here for item sr-3_smt.b" } ] }, { "statement-id": "sr-3_smt.c", - "uuid": "027b6af8-e794-4304-970e-fab7b19c93e5", + "uuid": "e22acf7f-acd6-4ee7-a26b-273128b97a6e", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "7fac3f44-aedc-4f1d-9015-b06d9fdbf196", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d922ccf1-e125-48b7-90d8-e556b01dcc12", "description": "Add control implementation description here for item sr-3_smt.c" } ] @@ -5399,16 +5399,16 @@ ] }, { - "uuid": "e0ded988-4edc-4180-8827-0f4bc9025a33", + "uuid": "a763e824-92fa-422d-9675-32b38ee9862b", "control-id": "sr-5", "statements": [ { "statement-id": "sr-5_smt", - "uuid": "f638b9a7-e8fe-44b6-b6b2-ca33fa3fd19a", + "uuid": "29248a02-230b-46bb-9c71-1e7c447d35e7", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "6dc30571-0fe9-4835-b039-b3ca9aa969fe", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "3667300a-f90a-4601-b8d9-8f178118687c", "description": "Add control implementation description here for control sr-5" } ] @@ -5416,16 +5416,16 @@ ] }, { - "uuid": "30390c5b-2c2c-45c5-a857-166d44ca6912", + "uuid": "2485998f-27ea-4ce2-a364-4c527c8a2f25", "control-id": "sr-8", "statements": [ { "statement-id": "sr-8_smt", - "uuid": "fe0a36c8-9e2b-4f45-8cc2-e271c4f2b47d", + "uuid": "d33c2254-c462-4b53-8e7e-ab1a6e713a84", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "87b328d9-c1f2-40e7-8675-712e23582ce6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "0d62a912-f54e-4ea0-8bee-e990ed98b0ad", "description": "Add control implementation description here for control sr-8" } ] @@ -5433,16 +5433,16 @@ ] }, { - "uuid": "50a381ac-f409-442a-a613-043459f5b6e0", + "uuid": "66140820-8b23-4e90-92ee-7bf04d4b5cdf", "control-id": "sr-10", "statements": [ { "statement-id": "sr-10_smt", - "uuid": "43f28511-dfbc-46a2-bcff-b0646c76e55f", + "uuid": "fe809c68-1176-48dc-aa9c-ca4b5532a45d", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "81194a9f-be9f-4127-8404-659f12a56a8f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "e75d1d39-ea24-4b56-97a2-24f42fda541e", "description": "Add control implementation description here for control sr-10" } ] @@ -5450,27 +5450,27 @@ ] }, { - "uuid": "b89cd41e-80cb-411a-887d-1238f0f4ec5e", + "uuid": "2cc62e35-1d9d-4af3-bbad-b10505b878fa", "control-id": "sr-11", "statements": [ { "statement-id": "sr-11_smt.a", - "uuid": "bb9ebac8-2334-4a56-94c2-1fc8fa0ffff6", + "uuid": "a05ca36c-ee3c-4bc2-93c3-141818fd053b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fbd74ec4-5d91-46d2-8b2e-66c8cbf8de5f", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a38ac479-23b1-4a7a-a5ab-26361c2f74c8", "description": "Add control implementation description here for item sr-11_smt.a" } ] }, { "statement-id": "sr-11_smt.b", - "uuid": "7efac7d1-dac9-4866-bf83-5db812f0c2a3", + "uuid": "2ad4b098-d513-4fbc-aa3b-d3d20191585b", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "319d5b21-4c42-4453-869e-93acf84d41df", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "d726fb33-572c-432f-a50a-5c530e2561aa", "description": "Add control implementation description here for item sr-11_smt.b" } ] @@ -5478,16 +5478,16 @@ ] }, { - "uuid": "c91216de-9333-440d-bb53-7d93b0e006f5", + "uuid": "3ff1323f-ab0d-464b-bc31-e3854a8b44d3", "control-id": "sr-11.1", "statements": [ { "statement-id": "sr-11.1_smt", - "uuid": "b4ca654a-76bc-4745-94e2-e81bff6aa653", + "uuid": "83e259e7-c479-4eee-90cf-69e1f2dec932", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "0b8dcd0b-0a1a-4014-b3f3-4a220cfe37c6", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "62d27e3f-cdb0-48fc-94ee-197dcb39eb85", "description": "Add control implementation description here for control sr-11.1" } ] @@ -5495,16 +5495,16 @@ ] }, { - "uuid": "ace10183-f379-498d-be41-390598a2c5d4", + "uuid": "8936e892-c4e9-47ef-81dc-3d93eb5f5f58", "control-id": "sr-11.2", "statements": [ { "statement-id": "sr-11.2_smt", - "uuid": "c9a2a3e4-a0ca-40e2-b24c-b6f56b50803f", + "uuid": "b22c0c60-6cb0-40aa-9de1-2549f01809d9", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "ff8550fe-4cf2-418f-9167-b6f23b396346", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "4894ced0-0be7-4b53-a3ec-23f68fdcaaf0", "description": "Add control implementation description here for control sr-11.2" } ] @@ -5512,16 +5512,16 @@ ] }, { - "uuid": "9744de97-659f-4235-9125-94b63d6183a1", + "uuid": "5e158346-bc56-4c56-baaf-cdfe3a051d5f", "control-id": "sr-12", "statements": [ { "statement-id": "sr-12_smt", - "uuid": "53b45ccb-db1b-4a94-ad00-acb735700a75", + "uuid": "1677a0cf-5242-4918-96eb-1c6071309b90", "by-components": [ { - "component-uuid": "97c4a1ff-ff45-44a4-bc2d-f7984ee30497", - "uuid": "fb968d28-b2a0-4dfc-a191-6d01db4f2f44", + "component-uuid": "b06e04c9-2840-4cd2-978b-88a05c5a4de2", + "uuid": "a79279ee-97a8-4af8-86c5-97aa46205314", "description": "Add control implementation description here for control sr-12" } ] diff --git a/ssp_author_demo/test_system/ac/ac-1.md b/ssp_author_demo/test_system/ac/ac-1.md index 810afe8..aff585f 100644 --- a/ssp_author_demo/test_system/ac/ac-1.md +++ b/ssp_author_demo/test_system/ac/ac-1.md @@ -1,12 +1,12 @@ --- sort-id: ac-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- -# ac-1 - Access Control Policy and Procedures +# ac-1 - \[Access Control\] Policy and Procedures -## Control Description +## Control Statement - \[a.\] Develop, document, and disseminate to All employees: @@ -24,26 +24,32 @@ x-trestle-sections: - \[1.\] Policy Every year and following Any IT system breach involving inappropriate access management; and - \[2.\] Procedures every quarter and following any IT system breach or known near miss. +## Control Guidance + +Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. + ______________________________________________________________________ -## ac-1 What is the solution and how is it implemented? +## What is the solution and how is it implemented? + + ______________________________________________________________________ -### Part a. +## Implementation a. ACME CISO is responsible for setting the organisation access control policies, and in The access control policies at a global level are reviewed on an annual cycle. ACME CISO also review access control policy whenever ACME legal and/or Compliance teams identify access control obligations. ______________________________________________________________________ -### Part b. +## Implementation b. -Add control implementation description here for statement ac-1_smt.b +Add control implementation description here for item ac-1_smt.b ______________________________________________________________________ -### Part c. +## Implementation c. -Add control implementation description here for statement ac-1_smt.c +Add control implementation description here for item ac-1_smt.c ______________________________________________________________________ diff --git a/ssp_author_demo/test_system/ac/ac-14.md b/ssp_author_demo/test_system/ac/ac-14.md index 4c106c8..1e25d97 100644 --- a/ssp_author_demo/test_system/ac/ac-14.md +++ b/ssp_author_demo/test_system/ac/ac-14.md @@ -1,7 +1,7 @@ --- sort-id: ac-14 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-14 - \[Access Control\] Permitted Actions Without Identification or Authentication @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. -## Control Control Guidance +## Control Guidance Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none." diff --git a/ssp_author_demo/test_system/ac/ac-17.md b/ssp_author_demo/test_system/ac/ac-17.md index ebcb6a8..30a8911 100644 --- a/ssp_author_demo/test_system/ac/ac-17.md +++ b/ssp_author_demo/test_system/ac/ac-17.md @@ -1,7 +1,7 @@ --- sort-id: ac-17 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-17 - \[Access Control\] Remote Access @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Authorize each type of remote access to the system prior to allowing such connections. -## Control Control Guidance +## Control Guidance Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3). Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3). diff --git a/ssp_author_demo/test_system/ac/ac-18.md b/ssp_author_demo/test_system/ac/ac-18.md index bc69dab..ccba277 100644 --- a/ssp_author_demo/test_system/ac/ac-18.md +++ b/ssp_author_demo/test_system/ac/ac-18.md @@ -1,7 +1,7 @@ --- sort-id: ac-18 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-18 - \[Access Control\] Wireless Access @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Authorize each type of wireless access to the system prior to allowing such connections. -## Control Control Guidance +## Control Guidance Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication. diff --git a/ssp_author_demo/test_system/ac/ac-19.md b/ssp_author_demo/test_system/ac/ac-19.md index 69fbc80..105ad2f 100644 --- a/ssp_author_demo/test_system/ac/ac-19.md +++ b/ssp_author_demo/test_system/ac/ac-19.md @@ -1,7 +1,7 @@ --- sort-id: ac-19 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-19 - \[Access Control\] Access Control for Mobile Devices @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Authorize the connection of mobile devices to organizational systems. -## Control Control Guidance +## Control Guidance A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. diff --git a/ssp_author_demo/test_system/ac/ac-2.md b/ssp_author_demo/test_system/ac/ac-2.md index 7644f31..7f8c1f5 100644 --- a/ssp_author_demo/test_system/ac/ac-2.md +++ b/ssp_author_demo/test_system/ac/ac-2.md @@ -1,7 +1,7 @@ --- sort-id: ac-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-2 - \[Access Control\] Account Management @@ -44,7 +44,7 @@ x-trestle-sections: - \[l.\] Align account management processes with personnel termination and transfer processes. -## Control Control Guidance +## Control Guidance Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts. diff --git a/ssp_author_demo/test_system/ac/ac-20.md b/ssp_author_demo/test_system/ac/ac-20.md index 487719d..ceaf2cb 100644 --- a/ssp_author_demo/test_system/ac/ac-20.md +++ b/ssp_author_demo/test_system/ac/ac-20.md @@ -1,7 +1,7 @@ --- sort-id: ac-20 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-20 - \[Access Control\] Use of External Systems @@ -15,7 +15,7 @@ x-trestle-sections: - \[b.\] Prohibit the use of organizationally-defined types of external systems. -## Control Control Guidance +## Control Guidance External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems). diff --git a/ssp_author_demo/test_system/ac/ac-22.md b/ssp_author_demo/test_system/ac/ac-22.md index 6e4449f..1f45626 100644 --- a/ssp_author_demo/test_system/ac/ac-22.md +++ b/ssp_author_demo/test_system/ac/ac-22.md @@ -1,7 +1,7 @@ --- sort-id: ac-22 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-22 - \[Access Control\] Publicly Accessible Content @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Review the content on the publicly accessible system for nonpublic information organization-defined frequency and remove such information, if discovered. -## Control Control Guidance +## Control Guidance In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible. diff --git a/ssp_author_demo/test_system/ac/ac-3.md b/ssp_author_demo/test_system/ac/ac-3.md index 3a86345..b182bfd 100644 --- a/ssp_author_demo/test_system/ac/ac-3.md +++ b/ssp_author_demo/test_system/ac/ac-3.md @@ -1,7 +1,7 @@ --- sort-id: ac-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-3 - \[Access Control\] Access Enforcement @@ -10,7 +10,7 @@ x-trestle-sections: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. -## Control Control Guidance +## Control Guidance Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ([PE](#pe)) family. diff --git a/ssp_author_demo/test_system/ac/ac-7.md b/ssp_author_demo/test_system/ac/ac-7.md index 7d62f5c..25566fb 100644 --- a/ssp_author_demo/test_system/ac/ac-7.md +++ b/ssp_author_demo/test_system/ac/ac-7.md @@ -1,7 +1,7 @@ --- sort-id: ac-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-7 - \[Access Control\] Unsuccessful Logon Attempts @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Automatically lock the account or node for an {{ insert: param, ac-7_prm_4 }} ; lock the account or node until released by an administrator; delay next logon prompt per {{ insert: param, ac-7_prm_5 }} ; notify system administrator; take other {{ insert: param, ac-7_prm_6 }} when the maximum number of unsuccessful attempts is exceeded. -## Control Control Guidance +## Control Guidance The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need. diff --git a/ssp_author_demo/test_system/ac/ac-8.md b/ssp_author_demo/test_system/ac/ac-8.md index 74aff27..07ece52 100644 --- a/ssp_author_demo/test_system/ac/ac-8.md +++ b/ssp_author_demo/test_system/ac/ac-8.md @@ -1,7 +1,7 @@ --- sort-id: ac-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ac-8 - \[Access Control\] System Use Notification @@ -23,7 +23,7 @@ x-trestle-sections: - \[2.\] Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - \[3.\] Include a description of the authorized uses of the system. -## Control Control Guidance +## Control Guidance System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content. diff --git a/ssp_author_demo/test_system/at/at-1.md b/ssp_author_demo/test_system/at/at-1.md index 47afb64..de9388b 100644 --- a/ssp_author_demo/test_system/at/at-1.md +++ b/ssp_author_demo/test_system/at/at-1.md @@ -1,7 +1,7 @@ --- sort-id: at-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # at-1 - \[Awareness and Training\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/at/at-2.2.md b/ssp_author_demo/test_system/at/at-2.2.md index 9c168d3..3f21df1 100644 --- a/ssp_author_demo/test_system/at/at-2.2.md +++ b/ssp_author_demo/test_system/at/at-2.2.md @@ -1,7 +1,7 @@ --- sort-id: at-02.02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # at-2.2 - \[Awareness and Training\] Insider Threat @@ -10,7 +10,7 @@ x-trestle-sections: Provide literacy training on recognizing and reporting potential indicators of insider threat. -## Control Control Guidance +## Control Guidance Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations. diff --git a/ssp_author_demo/test_system/at/at-2.md b/ssp_author_demo/test_system/at/at-2.md index d727d7f..c966b64 100644 --- a/ssp_author_demo/test_system/at/at-2.md +++ b/ssp_author_demo/test_system/at/at-2.md @@ -1,7 +1,7 @@ --- sort-id: at-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # at-2 - \[Awareness and Training\] Literacy Training and Awareness @@ -19,7 +19,7 @@ x-trestle-sections: - \[d.\] Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. -## Control Control Guidance +## Control Guidance Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. diff --git a/ssp_author_demo/test_system/at/at-3.md b/ssp_author_demo/test_system/at/at-3.md index 2e676de..626c926 100644 --- a/ssp_author_demo/test_system/at/at-3.md +++ b/ssp_author_demo/test_system/at/at-3.md @@ -1,7 +1,7 @@ --- sort-id: at-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # at-3 - \[Awareness and Training\] Role-based Training @@ -17,7 +17,7 @@ x-trestle-sections: - \[c.\] Incorporate lessons learned from internal or external security incidents or breaches into role-based training. -## Control Control Guidance +## Control Guidance Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information. diff --git a/ssp_author_demo/test_system/at/at-4.md b/ssp_author_demo/test_system/at/at-4.md index 69a59c6..5f7068b 100644 --- a/ssp_author_demo/test_system/at/at-4.md +++ b/ssp_author_demo/test_system/at/at-4.md @@ -1,7 +1,7 @@ --- sort-id: at-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # at-4 - \[Awareness and Training\] Training Records @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Retain individual training records for organization-defined time period. -## Control Control Guidance +## Control Guidance Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies. diff --git a/ssp_author_demo/test_system/au/au-1.md b/ssp_author_demo/test_system/au/au-1.md index 5bad678..63a6a6c 100644 --- a/ssp_author_demo/test_system/au/au-1.md +++ b/ssp_author_demo/test_system/au/au-1.md @@ -1,7 +1,7 @@ --- sort-id: au-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-1 - \[Audit and Accountability\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/au/au-11.md b/ssp_author_demo/test_system/au/au-11.md index 4dfddaf..e47202c 100644 --- a/ssp_author_demo/test_system/au/au-11.md +++ b/ssp_author_demo/test_system/au/au-11.md @@ -1,7 +1,7 @@ --- sort-id: au-11 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-11 - \[Audit and Accountability\] Audit Record Retention @@ -10,7 +10,7 @@ x-trestle-sections: Retain audit records for organization-defined time period consistent with records retention policy to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. -## Control Control Guidance +## Control Guidance Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention. diff --git a/ssp_author_demo/test_system/au/au-12.md b/ssp_author_demo/test_system/au/au-12.md index 5eb54cc..dcbc41c 100644 --- a/ssp_author_demo/test_system/au/au-12.md +++ b/ssp_author_demo/test_system/au/au-12.md @@ -1,7 +1,7 @@ --- sort-id: au-12 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-12 - \[Audit and Accountability\] Audit Record Generation @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3). -## Control Control Guidance +## Control Guidance Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. diff --git a/ssp_author_demo/test_system/au/au-2.md b/ssp_author_demo/test_system/au/au-2.md index 8ea9d43..a7078be 100644 --- a/ssp_author_demo/test_system/au/au-2.md +++ b/ssp_author_demo/test_system/au/au-2.md @@ -1,7 +1,7 @@ --- sort-id: au-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-2 - \[Audit and Accountability\] Event Logging @@ -18,7 +18,7 @@ x-trestle-sections: - \[e.\] Review and update the event types selected for logging organization-defined frequency. -## Control Control Guidance +## Control Guidance An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. diff --git a/ssp_author_demo/test_system/au/au-3.md b/ssp_author_demo/test_system/au/au-3.md index 448e1fb..7881ac5 100644 --- a/ssp_author_demo/test_system/au/au-3.md +++ b/ssp_author_demo/test_system/au/au-3.md @@ -1,7 +1,7 @@ --- sort-id: au-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-3 - \[Audit and Accountability\] Content of Audit Records @@ -22,7 +22,7 @@ Ensure that audit records contain information that establishes the following: - \[f.\] Identity of any individuals, subjects, or objects/entities associated with the event. -## Control Control Guidance +## Control Guidance Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage. diff --git a/ssp_author_demo/test_system/au/au-4.md b/ssp_author_demo/test_system/au/au-4.md index 1fde1e9..192de5f 100644 --- a/ssp_author_demo/test_system/au/au-4.md +++ b/ssp_author_demo/test_system/au/au-4.md @@ -1,7 +1,7 @@ --- sort-id: au-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-4 - \[Audit and Accountability\] Audit Log Storage Capacity @@ -10,7 +10,7 @@ x-trestle-sections: Allocate audit log storage capacity to accommodate organization-defined audit log retention requirements. -## Control Control Guidance +## Control Guidance Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. diff --git a/ssp_author_demo/test_system/au/au-5.md b/ssp_author_demo/test_system/au/au-5.md index 441e4d3..c7f8f1e 100644 --- a/ssp_author_demo/test_system/au/au-5.md +++ b/ssp_author_demo/test_system/au/au-5.md @@ -1,7 +1,7 @@ --- sort-id: au-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-5 - \[Audit and Accountability\] Response to Audit Logging Process Failures @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Take the following additional actions: organization-defined additional actions. -## Control Control Guidance +## Control Guidance Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel. diff --git a/ssp_author_demo/test_system/au/au-6.md b/ssp_author_demo/test_system/au/au-6.md index db0da73..461e1df 100644 --- a/ssp_author_demo/test_system/au/au-6.md +++ b/ssp_author_demo/test_system/au/au-6.md @@ -1,7 +1,7 @@ --- sort-id: au-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-6 - \[Audit and Accountability\] Audit Record Review, Analysis, and Reporting @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. -## Control Control Guidance +## Control Guidance Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. diff --git a/ssp_author_demo/test_system/au/au-8.md b/ssp_author_demo/test_system/au/au-8.md index 9786bcb..eef0a43 100644 --- a/ssp_author_demo/test_system/au/au-8.md +++ b/ssp_author_demo/test_system/au/au-8.md @@ -1,7 +1,7 @@ --- sort-id: au-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-8 - \[Audit and Accountability\] Time Stamps @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Record time stamps for audit records that meet organization-defined granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. -## Control Control Guidance +## Control Guidance Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. diff --git a/ssp_author_demo/test_system/au/au-9.md b/ssp_author_demo/test_system/au/au-9.md index 54d5bbd..6244174 100644 --- a/ssp_author_demo/test_system/au/au-9.md +++ b/ssp_author_demo/test_system/au/au-9.md @@ -1,7 +1,7 @@ --- sort-id: au-09 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # au-9 - \[Audit and Accountability\] Protection of Audit Information @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. -## Control Control Guidance +## Control Guidance Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. diff --git a/ssp_author_demo/test_system/ca/ca-1.md b/ssp_author_demo/test_system/ca/ca-1.md index 016d5be..8b037f1 100644 --- a/ssp_author_demo/test_system/ca/ca-1.md +++ b/ssp_author_demo/test_system/ca/ca-1.md @@ -1,7 +1,7 @@ --- sort-id: ca-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-1 - \[Assessment, Authorization, and Monitoring\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/ca/ca-2.md b/ssp_author_demo/test_system/ca/ca-2.md index fbe4a02..7ccaa99 100644 --- a/ssp_author_demo/test_system/ca/ca-2.md +++ b/ssp_author_demo/test_system/ca/ca-2.md @@ -1,7 +1,7 @@ --- sort-id: ca-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-2 - \[Assessment, Authorization, and Monitoring\] Control Assessments @@ -24,7 +24,7 @@ x-trestle-sections: - \[f.\] Provide the results of the control assessment to organization-defined individuals or roles. -## Control Control Guidance +## Control Guidance Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented. diff --git a/ssp_author_demo/test_system/ca/ca-3.md b/ssp_author_demo/test_system/ca/ca-3.md index 3948b38..516f16e 100644 --- a/ssp_author_demo/test_system/ca/ca-3.md +++ b/ssp_author_demo/test_system/ca/ca-3.md @@ -1,7 +1,7 @@ --- sort-id: ca-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-3 - \[Assessment, Authorization, and Monitoring\] Information Exchange @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Review and update the agreements organization-defined frequency. -## Control Control Guidance +## Control Guidance System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2), may help to communicate and reduce risk. diff --git a/ssp_author_demo/test_system/ca/ca-5.md b/ssp_author_demo/test_system/ca/ca-5.md index 3e1f15e..4c52af1 100644 --- a/ssp_author_demo/test_system/ca/ca-5.md +++ b/ssp_author_demo/test_system/ca/ca-5.md @@ -1,7 +1,7 @@ --- sort-id: ca-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-5 - \[Assessment, Authorization, and Monitoring\] Plan of Action and Milestones @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Update existing plan of action and milestones organization-defined frequency based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. -## Control Control Guidance +## Control Guidance Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB. diff --git a/ssp_author_demo/test_system/ca/ca-6.md b/ssp_author_demo/test_system/ca/ca-6.md index d347eb2..6348128 100644 --- a/ssp_author_demo/test_system/ca/ca-6.md +++ b/ssp_author_demo/test_system/ca/ca-6.md @@ -1,7 +1,7 @@ --- sort-id: ca-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-6 - \[Assessment, Authorization, and Monitoring\] Authorization @@ -21,7 +21,7 @@ x-trestle-sections: - \[e.\] Update the authorizations organization-defined frequency. -## Control Control Guidance +## Control Guidance Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. diff --git a/ssp_author_demo/test_system/ca/ca-7.4.md b/ssp_author_demo/test_system/ca/ca-7.4.md index 82d8595..24570ff 100644 --- a/ssp_author_demo/test_system/ca/ca-7.4.md +++ b/ssp_author_demo/test_system/ca/ca-7.4.md @@ -1,7 +1,7 @@ --- sort-id: ca-07.04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-7.4 - \[Assessment, Authorization, and Monitoring\] Risk Monitoring @@ -16,7 +16,7 @@ Ensure risk monitoring is an integral part of the continuous monitoring strategy - \[(c)\] Change monitoring. -## Control Control Guidance +## Control Guidance Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. diff --git a/ssp_author_demo/test_system/ca/ca-7.md b/ssp_author_demo/test_system/ca/ca-7.md index 0e77873..67ec783 100644 --- a/ssp_author_demo/test_system/ca/ca-7.md +++ b/ssp_author_demo/test_system/ca/ca-7.md @@ -1,7 +1,7 @@ --- sort-id: ca-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-7 - \[Assessment, Authorization, and Monitoring\] Continuous Monitoring @@ -24,7 +24,7 @@ Develop a system-level continuous monitoring strategy and implement continuous m - \[g.\] Reporting the security and privacy status of the system to organization-defined personnel or roles organization-defined frequency. -## Control Control Guidance +## Control Guidance Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. diff --git a/ssp_author_demo/test_system/ca/ca-9.md b/ssp_author_demo/test_system/ca/ca-9.md index 42a11ca..aebb503 100644 --- a/ssp_author_demo/test_system/ca/ca-9.md +++ b/ssp_author_demo/test_system/ca/ca-9.md @@ -1,7 +1,7 @@ --- sort-id: ca-09 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ca-9 - \[Assessment, Authorization, and Monitoring\] Internal System Connections @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Review organization-defined frequency the continued need for each internal connection. -## Control Control Guidance +## Control Guidance Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions. diff --git a/ssp_author_demo/test_system/cm/cm-1.md b/ssp_author_demo/test_system/cm/cm-1.md index e916abb..cadeef8 100644 --- a/ssp_author_demo/test_system/cm/cm-1.md +++ b/ssp_author_demo/test_system/cm/cm-1.md @@ -1,7 +1,7 @@ --- sort-id: cm-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-1 - \[Configuration Management\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/cm/cm-10.md b/ssp_author_demo/test_system/cm/cm-10.md index dac7ea9..1395bda 100644 --- a/ssp_author_demo/test_system/cm/cm-10.md +++ b/ssp_author_demo/test_system/cm/cm-10.md @@ -1,7 +1,7 @@ --- sort-id: cm-10 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-10 - \[Configuration Management\] Software Usage Restrictions @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. -## Control Control Guidance +## Control Guidance Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements. diff --git a/ssp_author_demo/test_system/cm/cm-11.md b/ssp_author_demo/test_system/cm/cm-11.md index 2483039..0596612 100644 --- a/ssp_author_demo/test_system/cm/cm-11.md +++ b/ssp_author_demo/test_system/cm/cm-11.md @@ -1,7 +1,7 @@ --- sort-id: cm-11 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-11 - \[Configuration Management\] User-installed Software @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Monitor policy compliance organization-defined frequency. -## Control Control Guidance +## Control Guidance If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods. diff --git a/ssp_author_demo/test_system/cm/cm-2.md b/ssp_author_demo/test_system/cm/cm-2.md index 5b437de..c829e61 100644 --- a/ssp_author_demo/test_system/cm/cm-2.md +++ b/ssp_author_demo/test_system/cm/cm-2.md @@ -1,7 +1,7 @@ --- sort-id: cm-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-2 - \[Configuration Management\] Baseline Configuration @@ -16,7 +16,7 @@ x-trestle-sections: - \[2.\] When required due to organization-defined circumstances; and - \[3.\] When system components are installed or upgraded. -## Control Control Guidance +## Control Guidance Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. diff --git a/ssp_author_demo/test_system/cm/cm-4.md b/ssp_author_demo/test_system/cm/cm-4.md index 96ec5cb..af2fb26 100644 --- a/ssp_author_demo/test_system/cm/cm-4.md +++ b/ssp_author_demo/test_system/cm/cm-4.md @@ -1,7 +1,7 @@ --- sort-id: cm-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-4 - \[Configuration Management\] Impact Analyses @@ -10,7 +10,7 @@ x-trestle-sections: Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. -## Control Control Guidance +## Control Guidance Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required. diff --git a/ssp_author_demo/test_system/cm/cm-5.md b/ssp_author_demo/test_system/cm/cm-5.md index 48a4848..bac9bc2 100644 --- a/ssp_author_demo/test_system/cm/cm-5.md +++ b/ssp_author_demo/test_system/cm/cm-5.md @@ -1,7 +1,7 @@ --- sort-id: cm-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-5 - \[Configuration Management\] Access Restrictions for Change @@ -10,7 +10,7 @@ x-trestle-sections: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. -## Control Control Guidance +## Control Guidance Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3)), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times). diff --git a/ssp_author_demo/test_system/cm/cm-6.md b/ssp_author_demo/test_system/cm/cm-6.md index d734616..2f0bcaf 100644 --- a/ssp_author_demo/test_system/cm/cm-6.md +++ b/ssp_author_demo/test_system/cm/cm-6.md @@ -1,7 +1,7 @@ --- sort-id: cm-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-6 - \[Configuration Management\] Configuration Settings @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. -## Control Control Guidance +## Control Guidance Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. diff --git a/ssp_author_demo/test_system/cm/cm-7.md b/ssp_author_demo/test_system/cm/cm-7.md index 19eb1ad..a5f2a36 100644 --- a/ssp_author_demo/test_system/cm/cm-7.md +++ b/ssp_author_demo/test_system/cm/cm-7.md @@ -1,7 +1,7 @@ --- sort-id: cm-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-7 - \[Configuration Management\] Least Functionality @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services. -## Control Control Guidance +## Control Guidance Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2), and [SC-3](#sc-3)). diff --git a/ssp_author_demo/test_system/cm/cm-8.md b/ssp_author_demo/test_system/cm/cm-8.md index d4b286f..9544aa9 100644 --- a/ssp_author_demo/test_system/cm/cm-8.md +++ b/ssp_author_demo/test_system/cm/cm-8.md @@ -1,7 +1,7 @@ --- sort-id: cm-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cm-8 - \[Configuration Management\] System Component Inventory @@ -18,7 +18,7 @@ x-trestle-sections: - \[b.\] Review and update the system component inventory organization-defined frequency. -## Control Control Guidance +## Control Guidance System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. diff --git a/ssp_author_demo/test_system/cp/cp-1.md b/ssp_author_demo/test_system/cp/cp-1.md index 3e0a055..505e073 100644 --- a/ssp_author_demo/test_system/cp/cp-1.md +++ b/ssp_author_demo/test_system/cp/cp-1.md @@ -1,7 +1,7 @@ --- sort-id: cp-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cp-1 - \[Contingency Planning\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/cp/cp-10.md b/ssp_author_demo/test_system/cp/cp-10.md index c19edc9..524cdce 100644 --- a/ssp_author_demo/test_system/cp/cp-10.md +++ b/ssp_author_demo/test_system/cp/cp-10.md @@ -1,7 +1,7 @@ --- sort-id: cp-10 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cp-10 - \[Contingency Planning\] System Recovery and Reconstitution @@ -10,7 +10,7 @@ x-trestle-sections: Provide for the recovery and reconstitution of the system to a known state within organization-defined time period consistent with recovery time and recovery point objectives after a disruption, compromise, or failure. -## Control Control Guidance +## Control Guidance Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. diff --git a/ssp_author_demo/test_system/cp/cp-2.md b/ssp_author_demo/test_system/cp/cp-2.md index a88d7b1..90ac759 100644 --- a/ssp_author_demo/test_system/cp/cp-2.md +++ b/ssp_author_demo/test_system/cp/cp-2.md @@ -1,7 +1,7 @@ --- sort-id: cp-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cp-2 - \[Contingency Planning\] Contingency Plan @@ -32,7 +32,7 @@ x-trestle-sections: - \[h.\] Protect the contingency plan from unauthorized disclosure and modification. -## Control Control Guidance +## Control Guidance Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level. diff --git a/ssp_author_demo/test_system/cp/cp-3.md b/ssp_author_demo/test_system/cp/cp-3.md index 50b0018..6d62a75 100644 --- a/ssp_author_demo/test_system/cp/cp-3.md +++ b/ssp_author_demo/test_system/cp/cp-3.md @@ -1,7 +1,7 @@ --- sort-id: cp-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cp-3 - \[Contingency Planning\] Contingency Training @@ -16,7 +16,7 @@ x-trestle-sections: - \[b.\] Review and update contingency training content organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements. diff --git a/ssp_author_demo/test_system/cp/cp-4.md b/ssp_author_demo/test_system/cp/cp-4.md index a7e8e99..382dcc7 100644 --- a/ssp_author_demo/test_system/cp/cp-4.md +++ b/ssp_author_demo/test_system/cp/cp-4.md @@ -1,7 +1,7 @@ --- sort-id: cp-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cp-4 - \[Contingency Planning\] Contingency Plan Testing @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Initiate corrective actions, if needed. -## Control Control Guidance +## Control Guidance Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. diff --git a/ssp_author_demo/test_system/cp/cp-9.md b/ssp_author_demo/test_system/cp/cp-9.md index 02c7ecd..6b7c81d 100644 --- a/ssp_author_demo/test_system/cp/cp-9.md +++ b/ssp_author_demo/test_system/cp/cp-9.md @@ -1,7 +1,7 @@ --- sort-id: cp-09 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # cp-9 - \[Contingency Planning\] System Backup @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Protect the confidentiality, integrity, and availability of backup information. -## Control Control Guidance +## Control Guidance System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8). System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. diff --git a/ssp_author_demo/test_system/ia/ia-1.md b/ssp_author_demo/test_system/ia/ia-1.md index d806aa5..f1e2382 100644 --- a/ssp_author_demo/test_system/ia/ia-1.md +++ b/ssp_author_demo/test_system/ia/ia-1.md @@ -1,7 +1,7 @@ --- sort-id: ia-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-1 - \[Identification and Authentication\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/ia/ia-11.md b/ssp_author_demo/test_system/ia/ia-11.md index daf9f12..57f3a77 100644 --- a/ssp_author_demo/test_system/ia/ia-11.md +++ b/ssp_author_demo/test_system/ia/ia-11.md @@ -1,7 +1,7 @@ --- sort-id: ia-11 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-11 - \[Identification and Authentication\] Re-authentication @@ -10,7 +10,7 @@ x-trestle-sections: Require users to re-authenticate when organization-defined circumstances or situations requiring re-authentication. -## Control Control Guidance +## Control Guidance In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically. diff --git a/ssp_author_demo/test_system/ia/ia-2.1.md b/ssp_author_demo/test_system/ia/ia-2.1.md index c613cb6..7bf75b0 100644 --- a/ssp_author_demo/test_system/ia/ia-2.1.md +++ b/ssp_author_demo/test_system/ia/ia-2.1.md @@ -1,7 +1,7 @@ --- sort-id: ia-02.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-2.1 - \[Identification and Authentication\] Multi-factor Authentication to Privileged Accounts @@ -10,7 +10,7 @@ x-trestle-sections: Implement multi-factor authentication for access to privileged accounts. -## Control Control Guidance +## Control Guidance Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number \[PIN\]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. diff --git a/ssp_author_demo/test_system/ia/ia-2.12.md b/ssp_author_demo/test_system/ia/ia-2.12.md index 32e07ef..489414e 100644 --- a/ssp_author_demo/test_system/ia/ia-2.12.md +++ b/ssp_author_demo/test_system/ia/ia-2.12.md @@ -1,7 +1,7 @@ --- sort-id: ia-02.12 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-2.12 - \[Identification and Authentication\] Acceptance of PIV Credentials @@ -10,7 +10,7 @@ x-trestle-sections: Accept and electronically verify Personal Identity Verification-compliant credentials. -## Control Control Guidance +## Control Guidance Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c). The DOD Common Access Card (CAC) is an example of a PIV credential. diff --git a/ssp_author_demo/test_system/ia/ia-2.2.md b/ssp_author_demo/test_system/ia/ia-2.2.md index 5073b82..ff6657c 100644 --- a/ssp_author_demo/test_system/ia/ia-2.2.md +++ b/ssp_author_demo/test_system/ia/ia-2.2.md @@ -1,7 +1,7 @@ --- sort-id: ia-02.02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-2.2 - \[Identification and Authentication\] Multi-factor Authentication to Non-privileged Accounts @@ -10,7 +10,7 @@ x-trestle-sections: Implement multi-factor authentication for access to non-privileged accounts. -## Control Control Guidance +## Control Guidance Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number \[PIN\]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. diff --git a/ssp_author_demo/test_system/ia/ia-2.8.md b/ssp_author_demo/test_system/ia/ia-2.8.md index 2e6de55..8166d7a 100644 --- a/ssp_author_demo/test_system/ia/ia-2.8.md +++ b/ssp_author_demo/test_system/ia/ia-2.8.md @@ -1,7 +1,7 @@ --- sort-id: ia-02.08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-2.8 - \[Identification and Authentication\] Access to Accounts — Replay Resistant @@ -10,7 +10,7 @@ x-trestle-sections: Implement replay-resistant authentication mechanisms for access to privileged accounts; non-privileged accounts. -## Control Control Guidance +## Control Guidance Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators. diff --git a/ssp_author_demo/test_system/ia/ia-2.md b/ssp_author_demo/test_system/ia/ia-2.md index 07f2aeb..c3fdb16 100644 --- a/ssp_author_demo/test_system/ia/ia-2.md +++ b/ssp_author_demo/test_system/ia/ia-2.md @@ -1,7 +1,7 @@ --- sort-id: ia-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-2 - \[Identification and Authentication\] Identification and Authentication (organizational Users) @@ -10,7 +10,7 @@ x-trestle-sections: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. -## Control Control Guidance +## Control Guidance Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0). Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. diff --git a/ssp_author_demo/test_system/ia/ia-4.md b/ssp_author_demo/test_system/ia/ia-4.md index 9b8a3e7..b0a6f2d 100644 --- a/ssp_author_demo/test_system/ia/ia-4.md +++ b/ssp_author_demo/test_system/ia/ia-4.md @@ -1,7 +1,7 @@ --- sort-id: ia-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-4 - \[Identification and Authentication\] Identifier Management @@ -18,7 +18,7 @@ Manage system identifiers by: - \[d.\] Preventing reuse of identifiers for organization-defined time period. -## Control Control Guidance +## Control Guidance Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4). Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. diff --git a/ssp_author_demo/test_system/ia/ia-5.1.md b/ssp_author_demo/test_system/ia/ia-5.1.md index d59d949..c4b3c62 100644 --- a/ssp_author_demo/test_system/ia/ia-5.1.md +++ b/ssp_author_demo/test_system/ia/ia-5.1.md @@ -1,7 +1,7 @@ --- sort-id: ia-05.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-5.1 - \[Identification and Authentication\] Password-based Authentication @@ -26,7 +26,7 @@ For password-based authentication: - \[(h)\] Enforce the following composition and complexity rules: organization-defined composition and complexity rules. -## Control Control Guidance +## Control Guidance Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. diff --git a/ssp_author_demo/test_system/ia/ia-5.md b/ssp_author_demo/test_system/ia/ia-5.md index 61e634c..b7397d3 100644 --- a/ssp_author_demo/test_system/ia/ia-5.md +++ b/ssp_author_demo/test_system/ia/ia-5.md @@ -1,7 +1,7 @@ --- sort-id: ia-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-5 - \[Identification and Authentication\] Authenticator Management @@ -28,7 +28,7 @@ Manage system authenticators by: - \[i.\] Changing authenticators for group or role accounts when membership to those accounts changes. -## Control Control Guidance +## Control Guidance Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6), and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. diff --git a/ssp_author_demo/test_system/ia/ia-6.md b/ssp_author_demo/test_system/ia/ia-6.md index 2e45306..72734b1 100644 --- a/ssp_author_demo/test_system/ia/ia-6.md +++ b/ssp_author_demo/test_system/ia/ia-6.md @@ -1,7 +1,7 @@ --- sort-id: ia-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-6 - \[Identification and Authentication\] Authentication Feedback @@ -10,7 +10,7 @@ x-trestle-sections: Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. -## Control Control Guidance +## Control Guidance Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it. diff --git a/ssp_author_demo/test_system/ia/ia-7.md b/ssp_author_demo/test_system/ia/ia-7.md index ea73bf6..d61e819 100644 --- a/ssp_author_demo/test_system/ia/ia-7.md +++ b/ssp_author_demo/test_system/ia/ia-7.md @@ -1,7 +1,7 @@ --- sort-id: ia-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-7 - \[Identification and Authentication\] Cryptographic Module Authentication @@ -10,7 +10,7 @@ x-trestle-sections: Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. -## Control Control Guidance +## Control Guidance Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. diff --git a/ssp_author_demo/test_system/ia/ia-8.1.md b/ssp_author_demo/test_system/ia/ia-8.1.md index b6a4fb0..e7c44f3 100644 --- a/ssp_author_demo/test_system/ia/ia-8.1.md +++ b/ssp_author_demo/test_system/ia/ia-8.1.md @@ -1,7 +1,7 @@ --- sort-id: ia-08.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-8.1 - \[Identification and Authentication\] Acceptance of PIV Credentials from Other Agencies @@ -10,7 +10,7 @@ x-trestle-sections: Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. -## Control Control Guidance +## Control Guidance Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). diff --git a/ssp_author_demo/test_system/ia/ia-8.2.md b/ssp_author_demo/test_system/ia/ia-8.2.md index a61d6cf..244722d 100644 --- a/ssp_author_demo/test_system/ia/ia-8.2.md +++ b/ssp_author_demo/test_system/ia/ia-8.2.md @@ -1,7 +1,7 @@ --- sort-id: ia-08.02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-8.2 - \[Identification and Authentication\] Acceptance of External Authenticators @@ -12,7 +12,7 @@ x-trestle-sections: - \[(b)\] Document and maintain a list of accepted external authenticators. -## Control Control Guidance +## Control Guidance Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce). Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level. diff --git a/ssp_author_demo/test_system/ia/ia-8.4.md b/ssp_author_demo/test_system/ia/ia-8.4.md index d3274a4..0fc21a2 100644 --- a/ssp_author_demo/test_system/ia/ia-8.4.md +++ b/ssp_author_demo/test_system/ia/ia-8.4.md @@ -1,7 +1,7 @@ --- sort-id: ia-08.04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-8.4 - \[Identification and Authentication\] Use of Defined Profiles @@ -10,7 +10,7 @@ x-trestle-sections: Conform to the following profiles for identity management organization-defined identity management profiles. -## Control Control Guidance +## Control Guidance Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. diff --git a/ssp_author_demo/test_system/ia/ia-8.md b/ssp_author_demo/test_system/ia/ia-8.md index ced7818..0d541dd 100644 --- a/ssp_author_demo/test_system/ia/ia-8.md +++ b/ssp_author_demo/test_system/ia/ia-8.md @@ -1,7 +1,7 @@ --- sort-id: ia-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ia-8 - \[Identification and Authentication\] Identification and Authentication (non-organizational Users) @@ -10,7 +10,7 @@ x-trestle-sections: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. -## Control Control Guidance +## Control Guidance Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2). Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14). Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. diff --git a/ssp_author_demo/test_system/ir/ir-1.md b/ssp_author_demo/test_system/ir/ir-1.md index 8c86360..9d020f8 100644 --- a/ssp_author_demo/test_system/ir/ir-1.md +++ b/ssp_author_demo/test_system/ir/ir-1.md @@ -1,7 +1,7 @@ --- sort-id: ir-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-1 - \[Incident Response\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/ir/ir-2.md b/ssp_author_demo/test_system/ir/ir-2.md index 67272d5..66594a5 100644 --- a/ssp_author_demo/test_system/ir/ir-2.md +++ b/ssp_author_demo/test_system/ir/ir-2.md @@ -1,7 +1,7 @@ --- sort-id: ir-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-2 - \[Incident Response\] Incident Response Training @@ -16,7 +16,7 @@ x-trestle-sections: - \[b.\] Review and update incident response training content organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3). Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. diff --git a/ssp_author_demo/test_system/ir/ir-4.md b/ssp_author_demo/test_system/ir/ir-4.md index e7acef6..c1ae5e3 100644 --- a/ssp_author_demo/test_system/ir/ir-4.md +++ b/ssp_author_demo/test_system/ir/ir-4.md @@ -1,7 +1,7 @@ --- sort-id: ir-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-4 - \[Incident Response\] Incident Handling @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. -## Control Control Guidance +## Control Guidance Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive \[function\], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. diff --git a/ssp_author_demo/test_system/ir/ir-5.md b/ssp_author_demo/test_system/ir/ir-5.md index 93a0684..c4c1d94 100644 --- a/ssp_author_demo/test_system/ir/ir-5.md +++ b/ssp_author_demo/test_system/ir/ir-5.md @@ -1,7 +1,7 @@ --- sort-id: ir-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-5 - \[Incident Response\] Incident Monitoring @@ -10,7 +10,7 @@ x-trestle-sections: Track and document incidents. -## Control Control Guidance +## Control Guidance Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring. diff --git a/ssp_author_demo/test_system/ir/ir-6.md b/ssp_author_demo/test_system/ir/ir-6.md index df9f2b9..e79dab1 100644 --- a/ssp_author_demo/test_system/ir/ir-6.md +++ b/ssp_author_demo/test_system/ir/ir-6.md @@ -1,7 +1,7 @@ --- sort-id: ir-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-6 - \[Incident Response\] Incident Reporting @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Report incident information to organization-defined authorities. -## Control Control Guidance +## Control Guidance The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products. diff --git a/ssp_author_demo/test_system/ir/ir-7.md b/ssp_author_demo/test_system/ir/ir-7.md index d732979..a9bc1c4 100644 --- a/ssp_author_demo/test_system/ir/ir-7.md +++ b/ssp_author_demo/test_system/ir/ir-7.md @@ -1,7 +1,7 @@ --- sort-id: ir-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-7 - \[Incident Response\] Incident Response Assistance @@ -10,7 +10,7 @@ x-trestle-sections: Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. -## Control Control Guidance +## Control Guidance Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required. diff --git a/ssp_author_demo/test_system/ir/ir-8.md b/ssp_author_demo/test_system/ir/ir-8.md index 07d27e8..f8216ea 100644 --- a/ssp_author_demo/test_system/ir/ir-8.md +++ b/ssp_author_demo/test_system/ir/ir-8.md @@ -1,7 +1,7 @@ --- sort-id: ir-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ir-8 - \[Incident Response\] Incident Response Plan @@ -29,7 +29,7 @@ x-trestle-sections: - \[e.\] Protect the incident response plan from unauthorized disclosure and modification. -## Control Control Guidance +## Control Guidance It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly. diff --git a/ssp_author_demo/test_system/ma/ma-1.md b/ssp_author_demo/test_system/ma/ma-1.md index 11c1139..f5af444 100644 --- a/ssp_author_demo/test_system/ma/ma-1.md +++ b/ssp_author_demo/test_system/ma/ma-1.md @@ -1,7 +1,7 @@ --- sort-id: ma-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ma-1 - \[Maintenance\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/ma/ma-2.md b/ssp_author_demo/test_system/ma/ma-2.md index 49fc658..e959c34 100644 --- a/ssp_author_demo/test_system/ma/ma-2.md +++ b/ssp_author_demo/test_system/ma/ma-2.md @@ -1,7 +1,7 @@ --- sort-id: ma-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ma-2 - \[Maintenance\] Controlled Maintenance @@ -20,7 +20,7 @@ x-trestle-sections: - \[f.\] Include the following information in organizational maintenance records: organization-defined information. -## Control Control Guidance +## Control Guidance Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems. diff --git a/ssp_author_demo/test_system/ma/ma-4.md b/ssp_author_demo/test_system/ma/ma-4.md index 7e69d5a..f028f22 100644 --- a/ssp_author_demo/test_system/ma/ma-4.md +++ b/ssp_author_demo/test_system/ma/ma-4.md @@ -1,7 +1,7 @@ --- sort-id: ma-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ma-4 - \[Maintenance\] Nonlocal Maintenance @@ -18,7 +18,7 @@ x-trestle-sections: - \[e.\] Terminate session and network connections when nonlocal maintenance is completed. -## Control Control Guidance +## Control Guidance Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2). Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators. diff --git a/ssp_author_demo/test_system/ma/ma-5.md b/ssp_author_demo/test_system/ma/ma-5.md index bfc3313..67d18a6 100644 --- a/ssp_author_demo/test_system/ma/ma-5.md +++ b/ssp_author_demo/test_system/ma/ma-5.md @@ -1,7 +1,7 @@ --- sort-id: ma-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ma-5 - \[Maintenance\] Maintenance Personnel @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. -## Control Control Guidance +## Control Guidance Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. diff --git a/ssp_author_demo/test_system/mp/mp-1.md b/ssp_author_demo/test_system/mp/mp-1.md index 5d35b12..eedf09f 100644 --- a/ssp_author_demo/test_system/mp/mp-1.md +++ b/ssp_author_demo/test_system/mp/mp-1.md @@ -1,7 +1,7 @@ --- sort-id: mp-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # mp-1 - \[Media Protection\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/mp/mp-2.md b/ssp_author_demo/test_system/mp/mp-2.md index 587f1ea..47e10ae 100644 --- a/ssp_author_demo/test_system/mp/mp-2.md +++ b/ssp_author_demo/test_system/mp/mp-2.md @@ -1,7 +1,7 @@ --- sort-id: mp-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # mp-2 - \[Media Protection\] Media Access @@ -10,7 +10,7 @@ x-trestle-sections: Restrict access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles. -## Control Control Guidance +## Control Guidance System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media. diff --git a/ssp_author_demo/test_system/mp/mp-6.md b/ssp_author_demo/test_system/mp/mp-6.md index 0bfce8b..5ffbb3f 100644 --- a/ssp_author_demo/test_system/mp/mp-6.md +++ b/ssp_author_demo/test_system/mp/mp-6.md @@ -1,7 +1,7 @@ --- sort-id: mp-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # mp-6 - \[Media Protection\] Media Sanitization @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. -## Control Control Guidance +## Control Guidance Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information. diff --git a/ssp_author_demo/test_system/mp/mp-7.md b/ssp_author_demo/test_system/mp/mp-7.md index 4a633ea..81cb524 100644 --- a/ssp_author_demo/test_system/mp/mp-7.md +++ b/ssp_author_demo/test_system/mp/mp-7.md @@ -1,7 +1,7 @@ --- sort-id: mp-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # mp-7 - \[Media Protection\] Media Use @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. -## Control Control Guidance +## Control Guidance System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2), which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices. diff --git a/ssp_author_demo/test_system/pe/pe-1.md b/ssp_author_demo/test_system/pe/pe-1.md index ea9ea45..e0a3298 100644 --- a/ssp_author_demo/test_system/pe/pe-1.md +++ b/ssp_author_demo/test_system/pe/pe-1.md @@ -1,7 +1,7 @@ --- sort-id: pe-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-1 - \[Physical and Environmental Protection\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/pe/pe-12.md b/ssp_author_demo/test_system/pe/pe-12.md index 67d9810..365087a 100644 --- a/ssp_author_demo/test_system/pe/pe-12.md +++ b/ssp_author_demo/test_system/pe/pe-12.md @@ -1,7 +1,7 @@ --- sort-id: pe-12 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-12 - \[Physical and Environmental Protection\] Emergency Lighting @@ -10,7 +10,7 @@ x-trestle-sections: Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. -## Control Control Guidance +## Control Guidance The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies. diff --git a/ssp_author_demo/test_system/pe/pe-13.md b/ssp_author_demo/test_system/pe/pe-13.md index 38b2a0a..19a752e 100644 --- a/ssp_author_demo/test_system/pe/pe-13.md +++ b/ssp_author_demo/test_system/pe/pe-13.md @@ -1,7 +1,7 @@ --- sort-id: pe-13 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-13 - \[Physical and Environmental Protection\] Fire Protection @@ -10,7 +10,7 @@ x-trestle-sections: Employ and maintain fire detection and suppression systems that are supported by an independent energy source. -## Control Control Guidance +## Control Guidance The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility. diff --git a/ssp_author_demo/test_system/pe/pe-14.md b/ssp_author_demo/test_system/pe/pe-14.md index f78ce9a..b92d34b 100644 --- a/ssp_author_demo/test_system/pe/pe-14.md +++ b/ssp_author_demo/test_system/pe/pe-14.md @@ -1,7 +1,7 @@ --- sort-id: pe-14 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-14 - \[Physical and Environmental Protection\] Environmental Controls @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Monitor environmental control levels organization-defined frequency. -## Control Control Guidance +## Control Guidance The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions. diff --git a/ssp_author_demo/test_system/pe/pe-15.md b/ssp_author_demo/test_system/pe/pe-15.md index e4eccd5..dd18269 100644 --- a/ssp_author_demo/test_system/pe/pe-15.md +++ b/ssp_author_demo/test_system/pe/pe-15.md @@ -1,7 +1,7 @@ --- sort-id: pe-15 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-15 - \[Physical and Environmental Protection\] Water Damage Protection @@ -10,7 +10,7 @@ x-trestle-sections: Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. -## Control Control Guidance +## Control Guidance The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations. diff --git a/ssp_author_demo/test_system/pe/pe-16.md b/ssp_author_demo/test_system/pe/pe-16.md index 4b3836d..37dcd0d 100644 --- a/ssp_author_demo/test_system/pe/pe-16.md +++ b/ssp_author_demo/test_system/pe/pe-16.md @@ -1,7 +1,7 @@ --- sort-id: pe-16 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-16 - \[Physical and Environmental Protection\] Delivery and Removal @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Maintain records of the system components. -## Control Control Guidance +## Control Guidance Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries. diff --git a/ssp_author_demo/test_system/pe/pe-2.md b/ssp_author_demo/test_system/pe/pe-2.md index c2f2ab7..2648407 100644 --- a/ssp_author_demo/test_system/pe/pe-2.md +++ b/ssp_author_demo/test_system/pe/pe-2.md @@ -1,7 +1,7 @@ --- sort-id: pe-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-2 - \[Physical and Environmental Protection\] Physical Access Authorizations @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Remove individuals from the facility access list when access is no longer required. -## Control Control Guidance +## Control Guidance Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible. diff --git a/ssp_author_demo/test_system/pe/pe-3.md b/ssp_author_demo/test_system/pe/pe-3.md index ee5291d..c6d4b01 100644 --- a/ssp_author_demo/test_system/pe/pe-3.md +++ b/ssp_author_demo/test_system/pe/pe-3.md @@ -1,7 +1,7 @@ --- sort-id: pe-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-3 - \[Physical and Environmental Protection\] Physical Access Control @@ -25,7 +25,7 @@ x-trestle-sections: - \[g.\] Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. -## Control Control Guidance +## Control Guidance Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components. diff --git a/ssp_author_demo/test_system/pe/pe-6.md b/ssp_author_demo/test_system/pe/pe-6.md index 1999226..c6c6d97 100644 --- a/ssp_author_demo/test_system/pe/pe-6.md +++ b/ssp_author_demo/test_system/pe/pe-6.md @@ -1,7 +1,7 @@ --- sort-id: pe-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-6 - \[Physical and Environmental Protection\] Monitoring Physical Access @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Coordinate results of reviews and investigations with the organizational incident response capability. -## Control Control Guidance +## Control Guidance Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2), if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses. diff --git a/ssp_author_demo/test_system/pe/pe-8.md b/ssp_author_demo/test_system/pe/pe-8.md index 090aaf3..dfc7ff8 100644 --- a/ssp_author_demo/test_system/pe/pe-8.md +++ b/ssp_author_demo/test_system/pe/pe-8.md @@ -1,7 +1,7 @@ --- sort-id: pe-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pe-8 - \[Physical and Environmental Protection\] Visitor Access Records @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Report anomalies in visitor access records to organization-defined personnel. -## Control Control Guidance +## Control Guidance Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas. diff --git a/ssp_author_demo/test_system/pl/pl-1.md b/ssp_author_demo/test_system/pl/pl-1.md index 2bed5e7..ce2b2c4 100644 --- a/ssp_author_demo/test_system/pl/pl-1.md +++ b/ssp_author_demo/test_system/pl/pl-1.md @@ -1,7 +1,7 @@ --- sort-id: pl-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pl-1 - \[Planning\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/pl/pl-10.md b/ssp_author_demo/test_system/pl/pl-10.md index 10a9068..0fc9033 100644 --- a/ssp_author_demo/test_system/pl/pl-10.md +++ b/ssp_author_demo/test_system/pl/pl-10.md @@ -1,7 +1,7 @@ --- sort-id: pl-10 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pl-10 - \[Planning\] Baseline Selection @@ -10,7 +10,7 @@ x-trestle-sections: Select a control baseline for the system. -## Control Control Guidance +## Control Guidance Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11)). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752). The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455). The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems. diff --git a/ssp_author_demo/test_system/pl/pl-11.md b/ssp_author_demo/test_system/pl/pl-11.md index b36a992..b295fa6 100644 --- a/ssp_author_demo/test_system/pl/pl-11.md +++ b/ssp_author_demo/test_system/pl/pl-11.md @@ -1,7 +1,7 @@ --- sort-id: pl-11 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pl-11 - \[Planning\] Baseline Tailoring @@ -10,7 +10,7 @@ x-trestle-sections: Tailor the selected control baseline by applying specified tailoring actions. -## Control Control Guidance +## Control Guidance The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752). Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455), and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef). Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities. diff --git a/ssp_author_demo/test_system/pl/pl-2.md b/ssp_author_demo/test_system/pl/pl-2.md index 229dfdd..39cd37e 100644 --- a/ssp_author_demo/test_system/pl/pl-2.md +++ b/ssp_author_demo/test_system/pl/pl-2.md @@ -1,7 +1,7 @@ --- sort-id: pl-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pl-2 - \[Planning\] System Security and Privacy Plans @@ -34,7 +34,7 @@ x-trestle-sections: - \[e.\] Protect the plans from unauthorized disclosure and modification. -## Control Control Guidance +## Control Guidance System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. diff --git a/ssp_author_demo/test_system/pl/pl-4.1.md b/ssp_author_demo/test_system/pl/pl-4.1.md index cda709f..1b9ec6d 100644 --- a/ssp_author_demo/test_system/pl/pl-4.1.md +++ b/ssp_author_demo/test_system/pl/pl-4.1.md @@ -1,7 +1,7 @@ --- sort-id: pl-04.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pl-4.1 - \[Planning\] Social Media and External Site/application Usage Restrictions @@ -16,7 +16,7 @@ Include in the rules of behavior, restrictions on: - \[(c)\] Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. -## Control Control Guidance +## Control Guidance Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information. diff --git a/ssp_author_demo/test_system/pl/pl-4.md b/ssp_author_demo/test_system/pl/pl-4.md index d4f2092..b53de97 100644 --- a/ssp_author_demo/test_system/pl/pl-4.md +++ b/ssp_author_demo/test_system/pl/pl-4.md @@ -1,7 +1,7 @@ --- sort-id: pl-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # pl-4 - \[Planning\] Rules of Behavior @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-4_prm_3 }} ; when the rules are revised or updated. -## Control Control Guidance +## Control Guidance Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6)). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8). The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b), the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons. diff --git a/ssp_author_demo/test_system/ps/ps-1.md b/ssp_author_demo/test_system/ps/ps-1.md index 6ee51e8..19cbe5c 100644 --- a/ssp_author_demo/test_system/ps/ps-1.md +++ b/ssp_author_demo/test_system/ps/ps-1.md @@ -1,7 +1,7 @@ --- sort-id: ps-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-1 - \[Personnel Security\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/ps/ps-2.md b/ssp_author_demo/test_system/ps/ps-2.md index f2901e3..5d604ff 100644 --- a/ssp_author_demo/test_system/ps/ps-2.md +++ b/ssp_author_demo/test_system/ps/ps-2.md @@ -1,7 +1,7 @@ --- sort-id: ps-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-2 - \[Personnel Security\] Position Risk Designation @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Review and update position risk designations organization-defined frequency. -## Control Control Guidance +## Control Guidance Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions. diff --git a/ssp_author_demo/test_system/ps/ps-3.md b/ssp_author_demo/test_system/ps/ps-3.md index 2d1fb4b..eec440c 100644 --- a/ssp_author_demo/test_system/ps/ps-3.md +++ b/ssp_author_demo/test_system/ps/ps-3.md @@ -1,7 +1,7 @@ --- sort-id: ps-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-3 - \[Personnel Security\] Personnel Screening @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Rescreen individuals in accordance with organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening. -## Control Control Guidance +## Control Guidance Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems. diff --git a/ssp_author_demo/test_system/ps/ps-4.md b/ssp_author_demo/test_system/ps/ps-4.md index 787de17..5bc42f8 100644 --- a/ssp_author_demo/test_system/ps/ps-4.md +++ b/ssp_author_demo/test_system/ps/ps-4.md @@ -1,7 +1,7 @@ --- sort-id: ps-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-4 - \[Personnel Security\] Personnel Termination @@ -20,7 +20,7 @@ Upon termination of individual employment: - \[e.\] Retain access to organizational information and systems formerly controlled by terminated individual. -## Control Control Guidance +## Control Guidance System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified. diff --git a/ssp_author_demo/test_system/ps/ps-5.md b/ssp_author_demo/test_system/ps/ps-5.md index be1ffd5..b489753 100644 --- a/ssp_author_demo/test_system/ps/ps-5.md +++ b/ssp_author_demo/test_system/ps/ps-5.md @@ -1,7 +1,7 @@ --- sort-id: ps-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-5 - \[Personnel Security\] Personnel Transfer @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Notify organization-defined personnel or roles within organization-defined time period. -## Control Control Guidance +## Control Guidance Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. diff --git a/ssp_author_demo/test_system/ps/ps-6.md b/ssp_author_demo/test_system/ps/ps-6.md index 25a704b..c19f18e 100644 --- a/ssp_author_demo/test_system/ps/ps-6.md +++ b/ssp_author_demo/test_system/ps/ps-6.md @@ -1,7 +1,7 @@ --- sort-id: ps-06 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-6 - \[Personnel Security\] Access Agreements @@ -17,7 +17,7 @@ x-trestle-sections: - \[1.\] Sign appropriate access agreements prior to being granted access; and - \[2.\] Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or organization-defined frequency. -## Control Control Guidance +## Control Guidance Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. diff --git a/ssp_author_demo/test_system/ps/ps-7.md b/ssp_author_demo/test_system/ps/ps-7.md index 8c6afd4..4e075ef 100644 --- a/ssp_author_demo/test_system/ps/ps-7.md +++ b/ssp_author_demo/test_system/ps/ps-7.md @@ -1,7 +1,7 @@ --- sort-id: ps-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-7 - \[Personnel Security\] External Personnel Security @@ -18,7 +18,7 @@ x-trestle-sections: - \[e.\] Monitor provider compliance with personnel security requirements. -## Control Control Guidance +## Control Guidance External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals. diff --git a/ssp_author_demo/test_system/ps/ps-8.md b/ssp_author_demo/test_system/ps/ps-8.md index c7f6829..f38c705 100644 --- a/ssp_author_demo/test_system/ps/ps-8.md +++ b/ssp_author_demo/test_system/ps/ps-8.md @@ -1,7 +1,7 @@ --- sort-id: ps-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-8 - \[Personnel Security\] Personnel Sanctions @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Notify organization-defined personnel or roles within organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. -## Control Control Guidance +## Control Guidance Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. diff --git a/ssp_author_demo/test_system/ps/ps-9.md b/ssp_author_demo/test_system/ps/ps-9.md index 842516d..27ec15e 100644 --- a/ssp_author_demo/test_system/ps/ps-9.md +++ b/ssp_author_demo/test_system/ps/ps-9.md @@ -1,7 +1,7 @@ --- sort-id: ps-09 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ps-9 - \[Personnel Security\] Position Descriptions @@ -10,7 +10,7 @@ x-trestle-sections: Incorporate security and privacy roles and responsibilities into organizational position descriptions. -## Control Control Guidance +## Control Guidance Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles. diff --git a/ssp_author_demo/test_system/ra/ra-1.md b/ssp_author_demo/test_system/ra/ra-1.md index a4f1fce..a58a379 100644 --- a/ssp_author_demo/test_system/ra/ra-1.md +++ b/ssp_author_demo/test_system/ra/ra-1.md @@ -1,7 +1,7 @@ --- sort-id: ra-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-1 - \[Risk Assessment\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/ra/ra-2.md b/ssp_author_demo/test_system/ra/ra-2.md index 079ebd5..b8461f9 100644 --- a/ssp_author_demo/test_system/ra/ra-2.md +++ b/ssp_author_demo/test_system/ra/ra-2.md @@ -1,7 +1,7 @@ --- sort-id: ra-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-2 - \[Risk Assessment\] Security Categorization @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. -## Control Control Guidance +## Control Guidance Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems. diff --git a/ssp_author_demo/test_system/ra/ra-3.1.md b/ssp_author_demo/test_system/ra/ra-3.1.md index 219ad02..531ab48 100644 --- a/ssp_author_demo/test_system/ra/ra-3.1.md +++ b/ssp_author_demo/test_system/ra/ra-3.1.md @@ -1,7 +1,7 @@ --- sort-id: ra-03.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-3.1 - \[Risk Assessment\] Supply Chain Risk Assessment @@ -12,7 +12,7 @@ x-trestle-sections: - \[(b)\] Update the supply chain risk assessment organization-defined frequency, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. -## Control Control Guidance +## Control Guidance Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required. diff --git a/ssp_author_demo/test_system/ra/ra-3.md b/ssp_author_demo/test_system/ra/ra-3.md index 8152b69..eb51bb0 100644 --- a/ssp_author_demo/test_system/ra/ra-3.md +++ b/ssp_author_demo/test_system/ra/ra-3.md @@ -1,7 +1,7 @@ --- sort-id: ra-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-3 - \[Risk Assessment\] Risk Assessment @@ -24,7 +24,7 @@ x-trestle-sections: - \[f.\] Update the risk assessment organization-defined frequency or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. -## Control Control Guidance +## Control Guidance Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities. diff --git a/ssp_author_demo/test_system/ra/ra-5.11.md b/ssp_author_demo/test_system/ra/ra-5.11.md index 8cf3f52..d071610 100644 --- a/ssp_author_demo/test_system/ra/ra-5.11.md +++ b/ssp_author_demo/test_system/ra/ra-5.11.md @@ -1,7 +1,7 @@ --- sort-id: ra-05.11 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-5.11 - \[Risk Assessment\] Public Disclosure Program @@ -10,7 +10,7 @@ x-trestle-sections: Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. -## Control Control Guidance +## Control Guidance The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability. diff --git a/ssp_author_demo/test_system/ra/ra-5.2.md b/ssp_author_demo/test_system/ra/ra-5.2.md index 5e70db2..9537b0c 100644 --- a/ssp_author_demo/test_system/ra/ra-5.2.md +++ b/ssp_author_demo/test_system/ra/ra-5.2.md @@ -1,7 +1,7 @@ --- sort-id: ra-05.02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-5.2 - \[Risk Assessment\] Update Vulnerabilities to Be Scanned @@ -10,7 +10,7 @@ x-trestle-sections: Update the system vulnerabilities to be scanned organization-defined frequency ; prior to a new scan; when new vulnerabilities are identified and reported. -## Control Control Guidance +## Control Guidance Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner. diff --git a/ssp_author_demo/test_system/ra/ra-5.md b/ssp_author_demo/test_system/ra/ra-5.md index 3d41851..abaffab 100644 --- a/ssp_author_demo/test_system/ra/ra-5.md +++ b/ssp_author_demo/test_system/ra/ra-5.md @@ -1,7 +1,7 @@ --- sort-id: ra-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-5 - \[Risk Assessment\] Vulnerability Monitoring and Scanning @@ -24,7 +24,7 @@ x-trestle-sections: - \[f.\] Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. -## Control Control Guidance +## Control Guidance Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. diff --git a/ssp_author_demo/test_system/ra/ra-7.md b/ssp_author_demo/test_system/ra/ra-7.md index 1475489..81ae00f 100644 --- a/ssp_author_demo/test_system/ra/ra-7.md +++ b/ssp_author_demo/test_system/ra/ra-7.md @@ -1,7 +1,7 @@ --- sort-id: ra-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # ra-7 - \[Risk Assessment\] Risk Response @@ -10,7 +10,7 @@ x-trestle-sections: Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. -## Control Control Guidance +## Control Guidance Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated. diff --git a/ssp_author_demo/test_system/sa/sa-1.md b/ssp_author_demo/test_system/sa/sa-1.md index 8b330eb..b71b64f 100644 --- a/ssp_author_demo/test_system/sa/sa-1.md +++ b/ssp_author_demo/test_system/sa/sa-1.md @@ -1,7 +1,7 @@ --- sort-id: sa-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-1 - \[System and Services Acquisition\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/sa/sa-2.md b/ssp_author_demo/test_system/sa/sa-2.md index 0d17881..dc85e46 100644 --- a/ssp_author_demo/test_system/sa/sa-2.md +++ b/ssp_author_demo/test_system/sa/sa-2.md @@ -1,7 +1,7 @@ --- sort-id: sa-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-2 - \[System and Services Acquisition\] Allocation of Resources @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. -## Control Control Guidance +## Control Guidance Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle. diff --git a/ssp_author_demo/test_system/sa/sa-22.md b/ssp_author_demo/test_system/sa/sa-22.md index 60f4abe..c4acb0f 100644 --- a/ssp_author_demo/test_system/sa/sa-22.md +++ b/ssp_author_demo/test_system/sa/sa-22.md @@ -1,7 +1,7 @@ --- sort-id: sa-22 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-22 - \[System and Services Acquisition\] Unsupported System Components @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Provide the following options for alternative sources for continued support for unsupported components in-house support; {{ insert: param, sa-22_prm_2 }} . -## Control Control Guidance +## Control Guidance Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. diff --git a/ssp_author_demo/test_system/sa/sa-3.md b/ssp_author_demo/test_system/sa/sa-3.md index 234e5b7..28ea484 100644 --- a/ssp_author_demo/test_system/sa/sa-3.md +++ b/ssp_author_demo/test_system/sa/sa-3.md @@ -1,7 +1,7 @@ --- sort-id: sa-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-3 - \[System and Services Acquisition\] System Development Life Cycle @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Integrate the organizational information security and privacy risk management process into system development life cycle activities. -## Control Control Guidance +## Control Guidance A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. diff --git a/ssp_author_demo/test_system/sa/sa-4.10.md b/ssp_author_demo/test_system/sa/sa-4.10.md index bd45009..a8e3b14 100644 --- a/ssp_author_demo/test_system/sa/sa-4.10.md +++ b/ssp_author_demo/test_system/sa/sa-4.10.md @@ -1,7 +1,7 @@ --- sort-id: sa-04.10 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-4.10 - \[System and Services Acquisition\] Use of Approved PIV Products @@ -10,7 +10,7 @@ x-trestle-sections: Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. -## Control Control Guidance +## Control Guidance Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations. diff --git a/ssp_author_demo/test_system/sa/sa-4.md b/ssp_author_demo/test_system/sa/sa-4.md index d4bdd7e..1b376fa 100644 --- a/ssp_author_demo/test_system/sa/sa-4.md +++ b/ssp_author_demo/test_system/sa/sa-4.md @@ -1,7 +1,7 @@ --- sort-id: sa-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-4 - \[System and Services Acquisition\] Acquisition Process @@ -28,7 +28,7 @@ Include the following requirements, descriptions, and criteria, explicitly or by - \[i.\] Acceptance criteria. -## Control Control Guidance +## Control Guidance Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2). The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle. diff --git a/ssp_author_demo/test_system/sa/sa-5.md b/ssp_author_demo/test_system/sa/sa-5.md index 885d54d..d80c089 100644 --- a/ssp_author_demo/test_system/sa/sa-5.md +++ b/ssp_author_demo/test_system/sa/sa-5.md @@ -1,7 +1,7 @@ --- sort-id: sa-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-5 - \[System and Services Acquisition\] System Documentation @@ -24,7 +24,7 @@ x-trestle-sections: - \[d.\] Distribute documentation to organization-defined personnel or roles. -## Control Control Guidance +## Control Guidance System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. diff --git a/ssp_author_demo/test_system/sa/sa-8.md b/ssp_author_demo/test_system/sa/sa-8.md index de094ff..4eeda69 100644 --- a/ssp_author_demo/test_system/sa/sa-8.md +++ b/ssp_author_demo/test_system/sa/sa-8.md @@ -1,7 +1,7 @@ --- sort-id: sa-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-8 - \[System and Services Acquisition\] Security and Privacy Engineering Principles @@ -10,7 +10,7 @@ x-trestle-sections: Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: organization-defined systems security and privacy engineering principles. -## Control Control Guidance +## Control Guidance Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3)). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. diff --git a/ssp_author_demo/test_system/sa/sa-9.md b/ssp_author_demo/test_system/sa/sa-9.md index 5368052..0d1bc06 100644 --- a/ssp_author_demo/test_system/sa/sa-9.md +++ b/ssp_author_demo/test_system/sa/sa-9.md @@ -1,7 +1,7 @@ --- sort-id: sa-09 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sa-9 - \[System and Services Acquisition\] External System Services @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: organization-defined processes, methods, and techniques. -## Control Control Guidance +## Control Guidance External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. diff --git a/ssp_author_demo/test_system/sc/sc-1.md b/ssp_author_demo/test_system/sc/sc-1.md index f08cf2a..79648a2 100644 --- a/ssp_author_demo/test_system/sc/sc-1.md +++ b/ssp_author_demo/test_system/sc/sc-1.md @@ -1,7 +1,7 @@ --- sort-id: sc-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-1 - \[System and Communications Protection\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/sc/sc-12.md b/ssp_author_demo/test_system/sc/sc-12.md index 80fc70b..663dc40 100644 --- a/ssp_author_demo/test_system/sc/sc-12.md +++ b/ssp_author_demo/test_system/sc/sc-12.md @@ -1,7 +1,7 @@ --- sort-id: sc-12 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-12 - \[System and Communications Protection\] Cryptographic Key Establishment and Management @@ -10,7 +10,7 @@ x-trestle-sections: Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: organization-defined requirements for key generation, distribution, storage, access, and destruction. -## Control Control Guidance +## Control Guidance Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. diff --git a/ssp_author_demo/test_system/sc/sc-13.md b/ssp_author_demo/test_system/sc/sc-13.md index 2a6373d..df2e115 100644 --- a/ssp_author_demo/test_system/sc/sc-13.md +++ b/ssp_author_demo/test_system/sc/sc-13.md @@ -1,7 +1,7 @@ --- sort-id: sc-13 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-13 - \[System and Communications Protection\] Cryptographic Protection @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Implement the following types of cryptography required for each specified cryptographic use: organization-defined types of cryptography for each specified cryptographic use. -## Control Control Guidance +## Control Guidance Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. diff --git a/ssp_author_demo/test_system/sc/sc-15.md b/ssp_author_demo/test_system/sc/sc-15.md index 408ed44..3a2d17b 100644 --- a/ssp_author_demo/test_system/sc/sc-15.md +++ b/ssp_author_demo/test_system/sc/sc-15.md @@ -1,7 +1,7 @@ --- sort-id: sc-15 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-15 - \[System and Communications Protection\] Collaborative Computing Devices and Applications @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Provide an explicit indication of use to users physically present at the devices. -## Control Control Guidance +## Control Guidance Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated. diff --git a/ssp_author_demo/test_system/sc/sc-20.md b/ssp_author_demo/test_system/sc/sc-20.md index a96c092..cda137e 100644 --- a/ssp_author_demo/test_system/sc/sc-20.md +++ b/ssp_author_demo/test_system/sc/sc-20.md @@ -1,7 +1,7 @@ --- sort-id: sc-20 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-20 - \[System and Communications Protection\] Secure Name/address Resolution Service (authoritative Source) @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. -## Control Control Guidance +## Control Guidance Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data. diff --git a/ssp_author_demo/test_system/sc/sc-21.md b/ssp_author_demo/test_system/sc/sc-21.md index 676e601..9e8450c 100644 --- a/ssp_author_demo/test_system/sc/sc-21.md +++ b/ssp_author_demo/test_system/sc/sc-21.md @@ -1,7 +1,7 @@ --- sort-id: sc-21 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-21 - \[System and Communications Protection\] Secure Name/address Resolution Service (recursive or Caching Resolver) @@ -10,7 +10,7 @@ x-trestle-sections: Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. -## Control Control Guidance +## Control Guidance Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data. diff --git a/ssp_author_demo/test_system/sc/sc-22.md b/ssp_author_demo/test_system/sc/sc-22.md index ded6a6a..49eff7b 100644 --- a/ssp_author_demo/test_system/sc/sc-22.md +++ b/ssp_author_demo/test_system/sc/sc-22.md @@ -1,7 +1,7 @@ --- sort-id: sc-22 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-22 - \[System and Communications Protection\] Architecture and Provisioning for Name/address Resolution Service @@ -10,7 +10,7 @@ x-trestle-sections: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. -## Control Control Guidance +## Control Guidance Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists). diff --git a/ssp_author_demo/test_system/sc/sc-39.md b/ssp_author_demo/test_system/sc/sc-39.md index 0c3d644..15c5b82 100644 --- a/ssp_author_demo/test_system/sc/sc-39.md +++ b/ssp_author_demo/test_system/sc/sc-39.md @@ -1,7 +1,7 @@ --- sort-id: sc-39 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-39 - \[System and Communications Protection\] Process Isolation @@ -10,7 +10,7 @@ x-trestle-sections: Maintain a separate execution domain for each executing system process. -## Control Control Guidance +## Control Guidance Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies. diff --git a/ssp_author_demo/test_system/sc/sc-5.md b/ssp_author_demo/test_system/sc/sc-5.md index a522147..0ba02d8 100644 --- a/ssp_author_demo/test_system/sc/sc-5.md +++ b/ssp_author_demo/test_system/sc/sc-5.md @@ -1,7 +1,7 @@ --- sort-id: sc-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-5 - \[System and Communications Protection\] Denial-of-service Protection @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Employ the following controls to achieve the denial-of-service objective: organization-defined controls by type of denial-of-service event. -## Control Control Guidance +## Control Guidance Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events. diff --git a/ssp_author_demo/test_system/sc/sc-7.md b/ssp_author_demo/test_system/sc/sc-7.md index 30d4eac..474b13b 100644 --- a/ssp_author_demo/test_system/sc/sc-7.md +++ b/ssp_author_demo/test_system/sc/sc-7.md @@ -1,7 +1,7 @@ --- sort-id: sc-07 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sc-7 - \[System and Communications Protection\] Boundary Protection @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. -## Control Control Guidance +## Control Guidance Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). diff --git a/ssp_author_demo/test_system/si/si-1.md b/ssp_author_demo/test_system/si/si-1.md index 48517ec..d8fb9bd 100644 --- a/ssp_author_demo/test_system/si/si-1.md +++ b/ssp_author_demo/test_system/si/si-1.md @@ -1,7 +1,7 @@ --- sort-id: si-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # si-1 - \[System and Information Integrity\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/si/si-12.md b/ssp_author_demo/test_system/si/si-12.md index 84dc655..9eb72c0 100644 --- a/ssp_author_demo/test_system/si/si-12.md +++ b/ssp_author_demo/test_system/si/si-12.md @@ -1,7 +1,7 @@ --- sort-id: si-12 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # si-12 - \[System and Information Integrity\] Information Management and Retention @@ -10,7 +10,7 @@ x-trestle-sections: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. -## Control Control Guidance +## Control Guidance Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8). diff --git a/ssp_author_demo/test_system/si/si-2.md b/ssp_author_demo/test_system/si/si-2.md index 1a2f06c..7358553 100644 --- a/ssp_author_demo/test_system/si/si-2.md +++ b/ssp_author_demo/test_system/si/si-2.md @@ -1,7 +1,7 @@ --- sort-id: si-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # si-2 - \[System and Information Integrity\] Flaw Remediation @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Incorporate flaw remediation into the organizational configuration management process. -## Control Control Guidance +## Control Guidance The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. diff --git a/ssp_author_demo/test_system/si/si-3.md b/ssp_author_demo/test_system/si/si-3.md index 54367dc..04076f2 100644 --- a/ssp_author_demo/test_system/si/si-3.md +++ b/ssp_author_demo/test_system/si/si-3.md @@ -1,7 +1,7 @@ --- sort-id: si-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # si-3 - \[System and Information Integrity\] Malicious Code Protection @@ -19,7 +19,7 @@ x-trestle-sections: - \[d.\] Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. -## Control Control Guidance +## Control Guidance System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. diff --git a/ssp_author_demo/test_system/si/si-4.md b/ssp_author_demo/test_system/si/si-4.md index 5a49098..199f242 100644 --- a/ssp_author_demo/test_system/si/si-4.md +++ b/ssp_author_demo/test_system/si/si-4.md @@ -1,7 +1,7 @@ --- sort-id: si-04 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # si-4 - \[System and Information Integrity\] System Monitoring @@ -28,7 +28,7 @@ x-trestle-sections: - \[g.\] Provide organization-defined system monitoring information to organization-defined personnel or roles as needed; {{ insert: param, si-4_prm_6 }} . -## Control Control Guidance +## Control Guidance System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. diff --git a/ssp_author_demo/test_system/si/si-5.md b/ssp_author_demo/test_system/si/si-5.md index 5953e42..29b507b 100644 --- a/ssp_author_demo/test_system/si/si-5.md +++ b/ssp_author_demo/test_system/si/si-5.md @@ -1,7 +1,7 @@ --- sort-id: si-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # si-5 - \[System and Information Integrity\] Security Alerts, Advisories, and Directives @@ -16,7 +16,7 @@ x-trestle-sections: - \[d.\] Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. -## Control Control Guidance +## Control Guidance The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations. diff --git a/ssp_author_demo/test_system/sr/sr-1.md b/ssp_author_demo/test_system/sr/sr-1.md index f492109..7d26ebf 100644 --- a/ssp_author_demo/test_system/sr/sr-1.md +++ b/ssp_author_demo/test_system/sr/sr-1.md @@ -1,7 +1,7 @@ --- sort-id: sr-01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-1 - \[Supply Chain Risk Management\] Policy and Procedures @@ -24,7 +24,7 @@ x-trestle-sections: - \[1.\] Policy organization-defined frequency and following organization-defined events; and - \[2.\] Procedures organization-defined frequency and following organization-defined events. -## Control Control Guidance +## Control Guidance Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. diff --git a/ssp_author_demo/test_system/sr/sr-10.md b/ssp_author_demo/test_system/sr/sr-10.md index 2e1c168..230760f 100644 --- a/ssp_author_demo/test_system/sr/sr-10.md +++ b/ssp_author_demo/test_system/sr/sr-10.md @@ -1,7 +1,7 @@ --- sort-id: sr-10 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-10 - \[Supply Chain Risk Management\] Inspection of Systems or Components @@ -10,7 +10,7 @@ x-trestle-sections: Inspect the following systems or system components at random; at {{ insert: param, sr-10_prm_2 }}, upon {{ insert: param, sr-10_prm_3 }} to detect tampering: organization-defined systems or system components. -## Control Control Guidance +## Control Guidance The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations. diff --git a/ssp_author_demo/test_system/sr/sr-11.1.md b/ssp_author_demo/test_system/sr/sr-11.1.md index d1cac2d..cde5693 100644 --- a/ssp_author_demo/test_system/sr/sr-11.1.md +++ b/ssp_author_demo/test_system/sr/sr-11.1.md @@ -1,7 +1,7 @@ --- sort-id: sr-11.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-11.1 - \[Supply Chain Risk Management\] Anti-counterfeit Training @@ -10,7 +10,7 @@ x-trestle-sections: Train organization-defined personnel or roles to detect counterfeit system components (including hardware, software, and firmware). -## Control Control Guidance +## Control Guidance None. diff --git a/ssp_author_demo/test_system/sr/sr-11.2.md b/ssp_author_demo/test_system/sr/sr-11.2.md index 401962e..4073210 100644 --- a/ssp_author_demo/test_system/sr/sr-11.2.md +++ b/ssp_author_demo/test_system/sr/sr-11.2.md @@ -1,7 +1,7 @@ --- sort-id: sr-11.02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-11.2 - \[Supply Chain Risk Management\] Configuration Control for Component Service and Repair @@ -10,7 +10,7 @@ x-trestle-sections: Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: organization-defined system components. -## Control Control Guidance +## Control Guidance None. diff --git a/ssp_author_demo/test_system/sr/sr-11.md b/ssp_author_demo/test_system/sr/sr-11.md index 288df57..6375b1a 100644 --- a/ssp_author_demo/test_system/sr/sr-11.md +++ b/ssp_author_demo/test_system/sr/sr-11.md @@ -1,7 +1,7 @@ --- sort-id: sr-11 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-11 - \[Supply Chain Risk Management\] Component Authenticity @@ -12,7 +12,7 @@ x-trestle-sections: - \[b.\] Report counterfeit system components to source of counterfeit component; {{ insert: param, sr-11_prm_2 }} ; {{ insert: param, sr-11_prm_3 }} . -## Control Control Guidance +## Control Guidance Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA. diff --git a/ssp_author_demo/test_system/sr/sr-12.md b/ssp_author_demo/test_system/sr/sr-12.md index 2a335cc..14e4fa5 100644 --- a/ssp_author_demo/test_system/sr/sr-12.md +++ b/ssp_author_demo/test_system/sr/sr-12.md @@ -1,7 +1,7 @@ --- sort-id: sr-12 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-12 - \[Supply Chain Risk Management\] Component Disposal @@ -10,7 +10,7 @@ x-trestle-sections: Dispose of organization-defined data, documentation, tools, or system components using the following techniques and methods: organization-defined techniques and methods. -## Control Control Guidance +## Control Guidance Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market. diff --git a/ssp_author_demo/test_system/sr/sr-2.1.md b/ssp_author_demo/test_system/sr/sr-2.1.md index ad35c8c..0ceff7a 100644 --- a/ssp_author_demo/test_system/sr/sr-2.1.md +++ b/ssp_author_demo/test_system/sr/sr-2.1.md @@ -1,7 +1,7 @@ --- sort-id: sr-02.01 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-2.1 - \[Supply Chain Risk Management\] Establish Scrm Team @@ -10,7 +10,7 @@ x-trestle-sections: Establish a supply chain risk management team consisting of organization-defined personnel, roles, and responsibilities to lead and support the following SCRM activities: organization-defined supply chain risk management activities. -## Control Control Guidance +## Control Guidance To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team. diff --git a/ssp_author_demo/test_system/sr/sr-2.md b/ssp_author_demo/test_system/sr/sr-2.md index a6cb608..31ad041 100644 --- a/ssp_author_demo/test_system/sr/sr-2.md +++ b/ssp_author_demo/test_system/sr/sr-2.md @@ -1,7 +1,7 @@ --- sort-id: sr-02 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-2 - \[Supply Chain Risk Management\] Supply Chain Risk Management Plan @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Protect the supply chain risk management plan from unauthorized disclosure and modification. -## Control Control Guidance +## Control Guidance The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions. diff --git a/ssp_author_demo/test_system/sr/sr-3.md b/ssp_author_demo/test_system/sr/sr-3.md index 6436e80..04d1e03 100644 --- a/ssp_author_demo/test_system/sr/sr-3.md +++ b/ssp_author_demo/test_system/sr/sr-3.md @@ -1,7 +1,7 @@ --- sort-id: sr-03 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-3 - \[Supply Chain Risk Management\] Supply Chain Controls and Processes @@ -14,7 +14,7 @@ x-trestle-sections: - \[c.\] Document the selected and implemented supply chain processes and controls in security and privacy plans; supply chain risk management plan; {{ insert: param, sr-3_prm_5 }} . -## Control Control Guidance +## Control Guidance Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain. diff --git a/ssp_author_demo/test_system/sr/sr-5.md b/ssp_author_demo/test_system/sr/sr-5.md index 61f1a51..b496de4 100644 --- a/ssp_author_demo/test_system/sr/sr-5.md +++ b/ssp_author_demo/test_system/sr/sr-5.md @@ -1,7 +1,7 @@ --- sort-id: sr-05 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-5 - \[Supply Chain Risk Management\] Acquisition Strategies, Tools, and Methods @@ -10,7 +10,7 @@ x-trestle-sections: Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: organization-defined acquisition strategies, contract tools, and procurement methods. -## Control Control Guidance +## Control Guidance The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements. diff --git a/ssp_author_demo/test_system/sr/sr-8.md b/ssp_author_demo/test_system/sr/sr-8.md index 73ef170..877c006 100644 --- a/ssp_author_demo/test_system/sr/sr-8.md +++ b/ssp_author_demo/test_system/sr/sr-8.md @@ -1,7 +1,7 @@ --- sort-id: sr-08 x-trestle-sections: - guidance: Control Guidance + guidance: Guidance --- # sr-8 - \[Supply Chain Risk Management\] Notification Agreements @@ -10,7 +10,7 @@ x-trestle-sections: Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises; results of assessments or audits; {{ insert: param, sr-8_prm_2 }} . -## Control Control Guidance +## Control Guidance The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.